Imagine waking up tomorrow morning only to discover that your employer’s brand is all over the news for the wrong reasons. Qualcomm employees experienced that last week. Over 900 million Android devices containing a Qualcomm processor were shown to have four known security vulnerabilities, and these alarming security issues are not going to be easy to eliminate according to the press [1]. Not exactly the news a semiconductor executive wants to read with their morning cup of coffee.
News of security vulnerabilities are especially devastating when processor groups work painstakingly hard for several years to build the fastest, lowest-power, and best possible processor ever created and now have to deal with vulnerability management in order to protect such vulnerabilities in a new system or processor. And now it’s all gone in an instant that could have been easily avoided IF the processor group had only realized design-for-security (DFS) is now even more important than designing for performance, low-power, and time-to-market. A processor with security vulnerabilities has no place in the market. It’s an extremely difficult lesson to learn, so take action before it gets worse.
Hardware and Software Silos Need to Come Down
For years EDA vendors have explained why IC design teams need to work closely with their SW development teams. Their main argument is that cooperation between the two teams would enable faster and more thorough functional verification. In this instance, the combined effort of both engineering groups allows for bugs to be caught earlier in the design cycle thanks to a HW/SW co-design process. Shift left, virtual prototyping, emulation, high-level synthesis – the EDA vendors have a long list of things to assist you except for the one thing you really need now, and that is a DFS solution.
These recent Qualcomm vulnerabilities, although primarily kernel driver related, are a great example of the type of security issues that can arise for semiconductor companies. In many cases, the interaction between firmware with silicon hardware can introduce unforeseen security vulnerabilities. Many basic security properties will of course be “baked into” the IC design. For example, certain strict properties for system-on-chip (SoC) access control might be built directly into the chip itself beneath the software.
However, due to the flexibility of a software patch, many security-centric mechanisms are controlled by software but executed in hardware. For example, a key may be stored in non-volatile memory and upon system boot, the software is in charge of moving that key from storage into the encryption engine. The information is still migrating its way through the hardware but is being controlled by software. Thus, security vulnerabilities can appear when software and hardware are coupled together, but are imperceptible when either is analyzed separately.
The Solution
Tortuga Logic has recognized the difficulty in addressing silicon security in this type of environment. Its technologies can be used to analyze the interaction of the hardware and firmware to ensure for example that keys are properly managed, access control rules are correctly configured, and memory isolation rules are maintained.
Security verification of HW/SW interaction is necessary to avoid successful attacks [2].
Tortuga Logic provides both services and software solutions that address security vulnerabilities during hardware and software interaction. For example, Tortuga’s proprietary Sentinel™ security language provides an intuitive and efficient way to create a library of security properties, which then can be used in conjunction with Tortuga Logic’s security verification software to verify that the interaction between hardware and firmware does not introduce new, unforeseen security vulnerabilities. Tortuga Logic’s software does so by creating a Security Model Design and loading it, along with the firmware, into industry-standard simulation platforms. During firmware execution, Tortuga Logic’s technology can discover any failing security properties. Tortuga Logic also offers Hardware Security Assessments (HSA) services, where Tortuga utilizes their expansive Sentinel™ property libraries and their design expertise to verify silicon security properties on a client’s mixed hardware/firmware design.
Summary
It is an inconvenient reality. Software and hardware that are verified individually for security may exhibit vulnerabilities when the software and hardware execute together. Design-for-security processes are now available to allow design teams to verify the interactions between hardware and software. Tortuga Logic also provides a Hardware Security Assessment service to assist your design teams in quickly integrating the tools, IP, and processes. Adding a DFS process to your RTL design flow to address HW/SW interactions is the only way to ensure your processor won’t be mentioned in the press headlines tomorrow.
About Jason Oberg
Dr. Oberg is one of the co-founders and Chief Executive Officer of Tortuga Logic. He oversees technology and strategic positioning of the company. He is the founding technologist of the company and has brought years of intellectual property into the company that he successfully transferred out of the University of California. Dr. Oberg is leading the company to meet all milestones including raising capital, tripling the team size, putting together strategic partnerships, and generating revenue on all products and services. Dr. Oberg has a B.S. degree in Computer Engineering from the University of California, Santa Barbara and M.S. and Ph.D. degrees in Computer Science from the University of California, San Diego.
References
1. Wired Magazine: “Vulnerability Exposes 900M Android Devices—and Fixing Them Won’t Be Easy” (https://www.wired.com/2016/08/quadroot-android-vulnerability-qualcomm/)
2. Chip image provided by https://diephotos.blogspot.com/