Security Policy in System-on-Chip Designs by Sandip Ray & Abhishek Basak & Swarup Bhunia

Author:Sandip Ray & Abhishek Basak & Swarup Bhunia
Language: eng
Format: epub
ISBN: 9783319934648
Publisher: Springer International Publishing

4.4.3 Untrustworthy IP Cores

As seen in the previous works on static trust verification of designs, untrustworthy IP cores is an extremely challenging problem in terms of finding an adequate solution to provide high-security coverage. We note here that our proposed run-time SoC protection mechanism against potential system-level effects of untrustworthy IPs is complementary to these existing static IP-trust validation techniques, which attempt mostly to detect malicious modifications and/or covert backdoor channels in designs via targeted test vectors or formal analysis. In contrast, the aim of our dynamic protection is to monitor and detect system (SoC)-level direct/indirect effects of IP-level Trojans (and bugs) at run time and apply necessary security controls, according to requirements of corresponding fine-grained IP-trust aware security policies. Although we do not claim complete coverage against the gamut of all possible untrustworthy IP core scenarios, the intention is to show that just like the scenario of SoC with underlying trusted IP hardware, where security policies defend against threats, mainly originating from malicious S/W stacks and SoC to system interface, the SoC designer can also implement policies to detect untrusted, undependable IP actions arising from Trojans in the design, and prevent any system-level compromise. At the same time, one can do so in a systematic, methodical fashion with some enhancements to the E-IIPS architecture. As opposed to an exact set of rules and regulations, the solution provides guidelines to SoC designers/integrators on an efficient approach towards solving untrustworthy IPs in SoC issue. We note here once again that we have assumed that there is no malicious collusion between IP cores to execute system-level attacks, i.e., we treat each IP as independent entity from viewpoint of untrustworthiness.

As mentioned earlier, for such third-party IPs, there is no golden RTL implementation or associated models available as templates to an SoC designer, apart from the high-level IP functional/architecture specifications (trusted as SoC designer/architect would typically provide it) and the SoC architecture (signifying that an IP’s interface with other SoC components, IPs is known). Even if architecture is not explicitly specified for the IP by the SoC designer, high-level features like the number of pipeline stages, their overall functions, number of cache levels, presence of virtual memory or not for processors, and similarly for other IPs are mostly available and easy to validate by the SoC design house. The key observation here is that one can utilize only these high-level specification, IP interface-level information along with generic architecture-level rationale to verify correlations between specific, abstracted out, temporal events across different micro-architecture-level sub-components of an IP to detect potentially untrustworthy behavior that might affect the SoC operations. Typically, in a design like a trusted IP core, a functionally relevant operation, meaningful and visible to SoC components external to the IP, incorporates specific correlated, internal (to IP) events occurring temporally across multiple spatial micro-architecture-level IP sub-units, i.e., these sub-units interact in a specific rational, meaningful manner with each other to perform an activity or operation [70], relevant at the SoC level. The corresponding events are referred to here as “Micro-architecturally Correlated Events” (MCE).

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.