Swarup Bhunia · Sandip Ray Susmita Sur-Kolay Editors Fundamentals of IP and SoC Security Design, Verification, and Debug Fundamentals of IP and SoC Security ⋅ Swarup Bhunia Sandip Ray Susmita Sur-Kolay Editors Fundamentals of IP and SoC Security fi Design, Veri cation, and Debug 123 Editors Swarup Bhunia Susmita Sur-Kolay Department ofElectrical andComputer AdvancedComputing andMicroelectronics Engineering Unit University of Florida Indian Statistical Institute Gainesville, FL Kolkata USA India SandipRay NXPSemiconductors Austin, TX USA ISBN978-3-319-50055-3 ISBN978-3-319-50057-7 (eBook) DOI 10.1007/978-3-319-50057-7 LibraryofCongressControlNumber:2016958715 ©SpringerInternationalPublishingAG2017 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission orinformationstorageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilar methodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authorsortheeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinor foranyerrorsoromissionsthatmayhavebeenmade. Printedonacid-freepaper ThisSpringerimprintispublishedbySpringerNature TheregisteredcompanyisSpringerInternationalPublishingAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Contents 1 The Landscape of SoC and IP Security ... .... .... ..... .... .. 1 Sandip Ray, Susmita Sur-Kolay and Swarup Bhunia 2 Security Validation in Modern SoC Designs.... .... ..... .... .. 9 Sandip Ray, Swarup Bhunia and Prabhat Mishra 3 SoC Security and Debug ... .... .... .... .... .... ..... .... .. 29 Wen Chen, Jayanta Bhadra and Li-C. Wang 4 IP Trust: The Problem and Design/Validation-Based Solution.... .... .... ..... .... .... .... .... .... ..... .... .. 49 Raj Gautam Dutta, Xiaolong Guo and Yier Jin 5 Security of Crypto IP Core: Issues and Countermeasures . .... .. 67 Debapriya Basu Roy and Debdeep Mukhopadhyay 6 PUF-Based Authentication.. .... .... .... .... .... ..... .... .. 115 Jim Plusquellic 7 FPGA-Based IP and SoC Security ... .... .... .... ..... .... .. 167 Debasri Saha and Susmita Sur-Kolay 8 Physical Unclonable Functions and Intellectual Property Protection Techniques ..... .... .... .... .... .... ..... .... .. 199 Ramesh Karri, Ozgur Sinanoglu and Jeyavijayan Rajendran 9 A Systematic Approach to Fault Attack Resistant Design.. .... .. 223 Nahid Farhady Galathy, Bilgiday Yuce and Patrick Schaumont 10 Hardware Trojan Attacks and Countermeasures.... ..... .... .. 247 Hassan Salmani 11 In-place Logic Obfuscation for Emerging Nonvolatile FPGAs .. .. 277 Yi-Chung Chen, Yandan Wang, Wei Zhang, Yiran Chen and Hai (Helen) Li v vi Contents 12 Security Standards for Embedded Devices and Systems... .... .. 295 Venkateswar Kowkutla and Srivaths Ravi 13 SoC Security: Summary and Future Directions. .... ..... .... .. 313 Swarup Bhunia, Sandip Ray and Susmita Sur-Kolay Chapter 1 The Landscape of SoC and IP Security SandipRay,SusmitaSur-KolayandSwarupBhunia 1.1 Introduction Ithasbeenalmostadecadesincethenumberofsmart,connectedcomputingdevices has exceeded the human population, ushering in the regime of the Internet of things[1].Today,weliveinanenvironmentcontainingtensofbillionsofcomputing devicesofwidevarietyandformfactors,performingarangeofapplicationsoften includingsomeofourmostprivateandintimatedata.Thesedevicesincludesmart- phones, tablets, consumer items (e.g., refrigerators, light bulbs, and thermostats), wearables,etc.Thetrendistowardthisproliferationtoincreaseexponentiallyinthe coming decades, with estimates going to trillions of devices as early as by 2030, signifyingthefastestgrowthbyalargemeasureacrossanyindustrialsectorinthe historyofthehumancivilization. Securityandtrustworthinessofcomputingsystemsconstituteacriticalandgating factortotherealizationofthisnewregime.Withcomputingdevicesbeingemployed for a large number of highly personalized activities (e.g., shopping, banking, fit- nesstracking,providingdrivingdirections,etc.),thesedeviceshaveaccesstoalarge amount of sensitive, personal information which must be protected from unautho- rizedormaliciousaccess.Ontheotherhand,communicationofthisinformationto otherpeerdevices,gateways,anddatacentersisinfactcrucialtoprovidingthekind of adaptive, “smart” behavior that the user expects from the device. For example, S.Ray(✉) StrategicCADLabs,IntelCorporation,Hillsboro,OR97124,USA e-mail:[email protected] S.Sur-Kolay AdvancedComputingandMicroelectronicsUnit,IndianStatisticalInstitute, Kolkata700108,India e-mail:[email protected] S.Bhunia DepartmentofECE,UniversityofFlorida,Gainesville,FL32611,USA e-mail:[email protected]fl.edu ©SpringerInternationalPublishingAG2017 1 S.Bhuniaetal.(eds.),FundamentalsofIPandSoCSecurity, DOI10.1007/978-3-319-50057-7_1 2 S.Rayetal. a smart fitness tracker must detect from its sensory data (e.g., pulse rate, location, speed,etc.)thekindofactivitybeingperformed,theterrainonwhichtheactivityis performed,and even themotivation fortheactivityinorder toprovide anticipated feedbackandresponsetotheuser;thisrequiresahighdegreeofdataprocessingand analysis much of which is performed by datacenters or even gateways with higher computing power than the tracker device itself. The communication and process- ing of one’s intimate personal information by the network and the cloud exposes the risk that it may be compromised by some malicious agent along the way. In additiontopersonalizedinformation,computingdevicescontainhighlyconfidential collateralfromarchitecture,design,andmanufacturing,suchascryptographicand digitalrightsmanagement(DRM)keys,programmablefuses,on-chipdebuginstru- mentation,defeaturebits,etc.Maliciousorunauthorizedaccesstosecureassetsin acomputingdevicecanresultinidentitythefts,leakageofcompany tradesecrets, evenlossofhumanlife.Consequently,acrucialcomponentofamoderncomputing systemarchitectureincludesauthenticationmechanismstoprotecttheseassets. 1.2 SoCDesignSupplyChainandSecurityAssets Mostcomputingsystemsaredevelopedtodayusingthesystem-on-chip(SoC)design architecture. An SoC design is architected by a composition of a number of pre- designedhardwareandsoftwareblocks,oftenreferredtoasdesignintellectualprop- ertiesordesignIPs(IPsforshort).Figure1.1showsasimpletoySoCdesign,includ- ingsome“obvious”IPs,e.g.,CPU,memorycontroller,DRAM,variouscontrollers forperipherals,etc.Ingeneral,anIPcanrefertoanydesignunitthatcanbeviewed as a standalone sub-component of a complete system. An SoC design architecture thenentailsconnectingtheseIPstogethertoimplementtheoverallsystemfunction- ality.ToachievethisconnectionamongIPs,anSoCdesignincludesanetwork-on- chip(NoC)thatprovidesastandardizedmessageinfrastructurefortheIPstocoordi- nateandcooperatetodefinethecompletesystemfunctionality.Inindustrialpractice today, an SoC design is realized by procuring many third-party IPs. These IPs are thenintegratedandconnectedbytheSoCdesignintegrationhousewhichisrespon- sible for the final system design. The design includes both hardware components (writteninahardwaredescriptionlanguagesuchasVerilogofVHDLlanguage)as wellassoftwareandfirmwarecomponents.Thehardwaredesignissenttoafoundry or fabrication house to create the silicon implementation. The fabricated design is transferred to platform developers or Original Equipment Manufacturers (OEMs), whocreatecomputingplatformssuchasasmartphone,tablet,orwearabledevices, whichareshippedtotheendcustomer. ThedescriptionabovealreadypointstoakeyaspectofcomplexityinSoCdesign fabrication, e.g., a complex supply chain and stake holders. This includes various IPproviders,theSoCintegrationhouse,foundry,andtheOEMs.Furthermore,with increasingglobalization,thissupplychainistypicallylongandgloballydistributed. Chapter 2 discusses some ramifications of this infrastructure, e.g., the possibility 1 TheLandscapeofSoCandIPSecurity 3 Fig.1.1 ArepresentativeSoCdesign.SoCdesignsarecreatedbyputtingtogetherintellectual property(IP)blocksofwell-definedfunctionality of any component of the supply chain incorporating malicious or inadvertent vul- nerability into the design or the manufacturing process. Malicious activities can include insertion of specific design alterations or Trojans by IP providers, leaking ofasecurityassetbytheSoCintegrationhouse,overproductionorcounterfeitingby amaliciousfoundry,andevenoverlookedorapparentlybenigndesignerrorsorfea- turesthatcanbeexploitedon-field.Securityarchitecturesandassurancetechniques and methodologies must be robust enough to address challenges arising from this plethoraofsources,arisingfromdifferentpointsofthesystemdesignlifecycle. 4 S.Rayetal. 1.3 TheChallengeofDesignComplexity AseconddimensionofchallengeswiththesecureSoCdesignisinthesheercom- plexity. Modern computing systems are inordinately complex. Note from Fig.1.1 that the CPU represents "merely" one of a large number of IPs in an SoC design. TheCPUinamodernSoCdesignisarguablymorecomplexthanmanyofthehigh- performance microprocessors of a decade back. Multiply this complexity increase withthelargenumberofIPsinthesystem(manyofwhichincludecustommicrocon- trollersofcommensuratecomplexity,inadditiontocustomhardwareandfirmware), andonegetssomesenseofthelevelofcomplexity.Addsomeothercross-designfea- tures,e.g.,powermanagement,performanceoptimization,multiplevoltageislands, clockinglogic,etc.,andthecomplexityperhapsgoesbeyondimagination.Thenum- berofdifferentdesignstatesthatsuchasystemcanreachexceedsbyalongwaythe numberofatomsintheuniverse.Itischallengingtoensurethatsuchasystemever functionsasdesiredevenundernormaloperatingconditions,muchlessinthepres- enceofmillionsofadversarieslookingtoidentifyvulnerabilitiesforexploitation. Whyisthiscomplexityabottleneckforsecurityinparticular?Forstarters,secure assets are sprinkled across the design, in various IPs and their communication infrastructure.Itisdifficulttoenvisageallthedifferentconditionsunderwhichthese assetsareaccessedandinsertappropriateprotectionandmitigationmechanismsto ensureunauthorizedaccess.Furthermore,securitycross-cutsdifferentIPsofthesys- tem, in some cases breaking the abstraction of IPs as coherent, distinct blocks of well-definedfunctionality.ConsideranIPcommunicatingwithanotheronethrough the communication fabric. Several IPs are involved in this process, including the sourceanddestinationIPs,theroutersinvolvedinthecommunication,etc.Ensuring thecommunicationissecurewouldrequireanunderstandingofthisoverallarchitec- ture,identifyingtrustedanduntrustedcomponents,analyzingtheconsequencesofa Trojaninoneoftheconstituentblocksleakinginformation,andmuchmore.Toexac- erbatetheissue,designfunctionalitytodayishardlycontainedentirelyinhardware. Most modern SoC design functionality includes significant firmware and software componentswhichareconcurrentlydesignedtogetherwithhardware(potentiallyby different players across the supply chain). Consequently, security design and vali- dation become a complex hardware/software co-design and co-validation problem distributed across multiple players with potentially untrusted participants. Finally, thesecurityrequirementsthemselvesvarydependingonhowanIPoreventheSoC designisusedinaspecificproduct.Forexample,thesameIPwhenusedinawear- abledevicewillhaveadifferentsecurityrequirementfromwhenitisusedasagam- ingsystem.Thesecurityrequirementsalsovarydependingonthestageofthelife cycleoftheproduct,e.g.,whenitiswithamanufacturer,OEM,orendcustomer.This makesithardtocompositionallydesignsecurityfeatureswithoutaglobalview.