Security Assurance in SoC in the Presence of Untrusted Components

Abstract

With the increasing design and validation complexities of an SoC coupled with reduced time-to-market constraints, designers have typically integrated pre-qualified third-party Intellectual Property (IP) cores to achieve necessary design productivity. However, many of these IP blocks are designed at different parts of the world in relatively less trustworthy ecosystem/environment. This enhances the risk of unintentional vulnerabilities, malicious modifications, and/or covert backdoors percolating in with the underlying hardware logic or associated firmware of the corresponding IP cores. These may affect the other SoC components to cause system failures at some key points of execution or leak confidential information back to potential adversaries. The usual directed/random tests aimed mainly towards functional/parametric failures and existing static IP-trust verification techniques are mostly incapable of ensuring adequate security coverage against this threat model. Run-time monitoring for potential undependable/devious behavior is necessary to ensure security of SoC operations in the presence of untrustworthy IP cores. In modern SoC design practices, system-level security policies protect the SoC assets/resources from unauthorized access. Systematic implementation of these policies typically involve smart wrappers extracting local security critical events of interest from IP blocks, together with a central control engine that communicates with the wrappers to analyze the events for policy adherence. In this paper, apart from an in-depth discussion of potential effects of untrustworthy IPs on SoC operation, we propose active, run-time SoC protection against this threat by appropriate fine-grained (in time space) security policies implemented in the abovementioned infrastructure. The policy architecture framework is accordingly enhanced with features based on monitoring IP to IP communication at interfaces, micro-architecture internal event correlation as well as multiple independent sources for security event verification, to provide support for these fine-grained policies. The design of this hardware support across different IP types is discussed in detail in the paper. Finally, using a representative SoC model, we implement these proposed security techniques in the policy architecture framework to verify their efficiency for different untrusted IP use cases. The estimated hardware support overhead is moderate for the available protection.