

# Securing Low-latency Hardware Designs

Adam Sherer, Account Technical Executive, Cadence Design Systems STAC Spring 2022 Summits



### Cyber Security: Who Cares?

Aero/Def, auto, medical, industrial, comms, IoT, semi, robotics, ...

### **Financial Technology**





BranchScope attack successfully demonstrated on several Intel CPUs





- Impact: \$460M loss in 45 minutes
- Multiple factors in loss
  - Improperly set flag put system into test mode
  - Improperly configured production env
  - Dead code in production env ("Power Peg")
  - Lack of formal QA process
- Bug could have been a security issue
  - "Power Peg" was essentially a trojan



## **Build To Objective Security Analysis**

More Objective

Property / Rules
Driven Security

- Comprehensive asset analysis via security properties / rules
- System level security scenario verification

Asset-Specific Security

- Formal property analysis guided by rules/SME analysis
- Comprehensive Mitre CWE analysis

Security Aware Verification

• Mitre CWE (ex. 1193 power-on, 1276 connectivity, 1242 undocumented features, 1245 improper state machines)

Comprehensive Verification

- Automated metrics analysis to verification plan
- Safety and rad-hard verification as needed

Essential Verification

- 100% code coverage w/ dead code and waiver analysis
- Comprehensive lint analysis including coding weakness

Security starts with a foundation of comprehensive verification

More Subjective



Functional Verification



### Using Lint Checks to Reduce Potential Attack Surfaces

- Coding style can leave a design exposed
  - Ex: side-channel exploit could be forcing data input that causes a register overflow resulting in a denial of service
  - Ex: trojan hiding in statemachine
- Examples coding issues
  - Undefined states in explicit and implicit statemachines
  - Incomplete if-then-else statements
  - Uninitialized variable/signal states
  - Livelock/deadlock states
  - Unguarded overflow/ underflow registers/ queues/arrays, etc.
- Dead code elimination
  - Code coverage analysis







### **Common Weakness Enumeration**

A Community-Developed List of Software & Hardware Weakness Types

- CWE: list of known weaknesses that a secure system should not have
- Mitre Corp maintains on-line db
- Started with SW CWE, HW added about a year ago

### 1194 - Hardware Design

- —
   Manufacturing and Life Cycle Management Concerns (1195)
- Security Flow Issues (1196)
- -⊞ C Integration Issues (1197)
- —

   C Privilege Separation and Access Control Issues (1198)
- —
   General Circuit and Logic Design Concerns (1199)
- —

   Memory and Storage Issues (1202)
- —
   Peripherals, On-chip Fabric, and Interface/IO Problems (1203)
- —

   C Security Primitives and Cryptography Issues (1205)
- —

   Power, Clock, and Reset Concerns (1206)
- —⊞ 🤦 Debug and Test Problems (1207)
- —

   Cross-Cutting Problems (1208)

| ✓ View Metrics |                   |        |            |
|----------------|-------------------|--------|------------|
|                | CWEs in this view |        | Total CWEs |
| Weaknesses     | 96                | out of | 922        |
| Categories     | 12                | out of | 316        |
| Views          | 0                 | out of | 44         |
| Total          | 108               | out of | 1282       |



### Security Verification Plan – Central Aggregation Point for Security Data

Security
Requirements
(from req.
mgmt.)

Identify Security Metrics Security vPlan





Collaborate on common Security Plan

Link to Security Specs

Import and Reuse Security Plans





### Security Reference Platform

OpenTitan is the first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips.



**OpenTitan EarlGrey SoC** 

512kB Flash

top\_earlgrey

OpenTitan helps to make the silicon root of trust (RoT) more transparent, trustworthy, and ultimately, secure.



### Improper Finite State Machines in HW Logic with SuperLint

| CWE  | Description                                             | Formal Application |
|------|---------------------------------------------------------|--------------------|
| 1245 | Improper Finite State Machines (FSMs) in Hardware Logic | SuperLint          |

- Faulty finite state machines (FSMs) in HW logic allow attacker to put system in undefined state causing denial of service (DoS) or gain privileges to system
- Formal analysis automatically extracts all states and transitions for each FSM in design
- Unreachable states/transitions indicate potential weaknesses where faults can lead the design into unknown behaviors





## Key Overwrite in Wipe Mode Found with Formal Property Verification

| CWE  | Description                                                                 | Formal Application           |
|------|-----------------------------------------------------------------------------|------------------------------|
| 1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | Formal Property Verification |

#### Disabled

Disabled is a state where the key manager is no longer operational. Upon Disabled entry, the working state is updated with KMAC computed random values; however, sideload keys are preserved. This allows the software to keep the last valid sideload keys while preventing the system from further advancing the valid key.

When advance and generate calls are invoked from this state, the outputs and keys are indiscriminately updated with randomly computed values. Key manager enters disabled state based on direct invocation by software:

- Advance from OwnerRootKey
- · Disable operation

### LFSR must be enabled in key wipe state

```
assert {u_ctrl.state_q == StCtrlWipe |-> (ctrl_lfsr_en && wipe_key)}
# key values must be filled with random data
assert {u_ctrl.state_q == StCtrlWipe |-> kmac_key.key[0] == {8{ctrl_rand[0]}} }
assert {u_ctrl.state_q == StCtrlWipe |-> kmac_key.key[1] == {8{ctrl_rand[1]}} }
# software operations are forbidden when keymanager is disabled during key wipe
```

| T  | Type ₹       | Name                                     | Engine $ \mathbb{T} $ | Bound     | Time  | Task        |
|----|--------------|------------------------------------------|-----------------------|-----------|-------|-------------|
| ×! | Assert       | in_StCtrlWipe_wipe_lfsr_en               | L                     | 336 - 374 | 436.1 | fpv_cwe1258 |
| ×  | Cover (relat | in_StCtrlWipe_wipe_lfsr_en:witness1      | N (4)                 | Infinite  | 0.0   | fpv_cwe1258 |
| ✓  | Cover (relat | in_StCtrlWipe_wipe_lfsr_en:precondition1 | L                     | 330 - 374 | 436.1 | fpv_cwe1258 |

assert {!u ctrl.en i |-> u ctrl.disable sel && stage sel == Disable}





## Key Verification with Security Path Verification (SPV)

| CWE  | Description                                                                 | Weakness                           |  |
|------|-----------------------------------------------------------------------------|------------------------------------|--|
| 1263 | Improper Physical Access Control                                            | Data Confidentiality and integrity |  |
| 1282 | Assumed-Immutable Data is Stored in Writable Memory                         | Data integrity                     |  |
| 1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | Data confidentiality               |  |
| 1330 | Remnant Data Readable after Memory Erase                                    |                                    |  |

### Internal key is maintained inside of the keymgr\_ctrl block

Confidentiality (leakage) – inject taint (unique tag) at the key and look for propagation at block outputs

sw\_key

operation

wpdate\_ctrl

working State

keymer\_ctrl

Interface

id\_en ouput\_en current\_st

Ufsr

OTP inputs

iifecycle inputs

WMC Interface

Key Manager (Behavioral Model)

Integrity (corruption) – inject taint at the inputs and look for propagation to key



## Formal Safety Verification Exposes Security Vulnerability Analysis

| CWE  | Description                             | Formal Application               |
|------|-----------------------------------------|----------------------------------|
| 1261 | Improper Handling of Single Even Upsets | Formal Safety Verification (FSV) |

- Check ability to detect or eliminate hacker attacks in secure subsystems
  - IP is protected against hacker attacks
    - by sensors and checkers attack raises alarm
    - by error correction mechanism attack is eliminated
  - Goal is to detect or correct all attacks



# Negative Testing Exposes Illegal Scenarios Using PSS\*

**PSS** 

activity {

CORE0

0x10101f83

secure\_getkey [5] core @ core



ILLEGAL - Scenario to force crypto to write keys to illegal memory action crypto illegal mem test { do crypto c::generate\_key with { default disable allow illegal mem; allow illegal mem != false; Disable default token in.mem seg.mem block == MEM2; (legal) rule do security mod c::nonsecure getkey; 📭 core generate\_key [7] .ypto 👔 crypto\_l token out m sml\_data\_buff ^mem seg.addr 0x201e3b5f ^mem\_seg.block\_tag MEM2 token in n core nonsecure\_getkey [5] \*PSS = Portable Stimulus Standard

(Accellera) defines stimulus usable in simulation, emulation, and ASIC/FPGA

protocol/memory interfaces, etc.

resources, state variables,

### Broad Array of Security Solutions is Needed

Multi engine Planning & management Portable stimulus gen HW/SW verification/debug

**Functional** verification

Logical equivalence Sequential equivalence Power management verification

**Formal** Equivalence

Security path verification Formal property verification Register verification Fault/metastability injection

**Formal** Verification

**Errant** behavior 2+2 = 5

**Malicious** modifications



Insecure components



**Data leaks** 



**System-on-chip security** attack surfaces



Counterfeits/ clones





**Processor** 

ΙP

Side channels



**HROT** compatible Secure RTOS compatible Auto qualified safety

Encryption Authentication

Design IP

Auto qualified Adv node Standards interfaces Converters/mixed-signal

SW dev/debug HW verif links to SW envs Accurate HW/SW interaction Blended abstraction w/ real devices

**Physical** analysis Power Thermal Reliability/aging **EMIR** 

vPlan/tracking/mgt Interface to regts mgt **Traceability** tracking

Security design services

Security function implementation Advanced node expert team Cleared personnel



### Security Call to Action

- Assess current functional and security verification methodology
  - More comprehensive verification reduces security risk
- Discuss how security levels of assurance are applied on projects
  - Set security objectives
- Execute additional security verification
  - Discuss additional security verification goals
  - Identify joint engineering team to bring-up and apply new tools/methodology
  - Measure results from application of new tools/methodology
  - Document results and support materials/training to bring-up new projects



### Cadence Security Verification Solution and Partners



# cādence

© 2022 Cadence Design Systems, Inc. All rights reserved worldwide. Cadence, the Cadence logo, and the other Cadence marks found at <a href="https://www.cadence.com/go/trademarks">https://www.cadence.com/go/trademarks</a> are trademarks or registered trademarks or registered trademarks or farm Limited (or its subsidiaries) in the US and/or elsewhere. All MIPI specifications are registered trademarks or registered trademarks or service marks owned by MIPI Alliance. All PCI-SIG specifications are registered trademarks or trademarks are the property of their respective owners.