I recently learned that Accellera has formed an IP security working group. My first reaction was “Great, we really need that!”. My second reaction was “But I have so many questions.” Security in the systems world is still very much a topic in its infancy. I don’t mean to imply that there isn’t good work being done in both software and hardware domains. But it still mostly feels reactionary and ad-hoc. Where’s the ISO 26262 for security? How do we quantify strong security versus weak security? And so on. Here, in no particular order, are some questions that I hope the working group will eventually answer.
How does IP security tie to SoC security and then to system security? In part this feels like the system element out of context (SEooC) topic in ISO 26262. How can you demonstrate security in a sub-component when you don’t know how it will be used in the larger system? Moreover, we still don’t have a good handle on defining security for the whole stack. Even if we have a well-defined definition for the IP, how do we compose those measures into a system-level measure?
Which raises a scope question. I see the chair is from Intel, which is a great start. They probably know more than most about security than most, despite their recent stumbles. And Synopsys is involved which is also good, not just for their IP expertise but also for their software security expertise. I hope Rambus will join, also maybe someone from Google ProjectZero (you see where I’m going with this). I hope Accellera will become a regular presenter at BlackHat. Meantime, it would be good to know how the WG plans to connect with existing compliance requirements from PCI, NSA and others.
But even given a WG group loaded with experts from the industry, how much will they share, and will that be enough to build an effective standard? Security through obscurity is still important and will likely always be important. What you don’t share is harder to attack because that makes it harder to guess at vulnerabilities. So how much can be shared in a standard? Mechanisms almost certainly not because that would limit innovation and differentiation, which hackers would love and the industry would hate. Measures of security seem more likely as long as they’re fairly general. Targeted metrics might be clues to likely weak areas. Or maybe these could be a good way to demonstrate strengths against a spectrum of possible attacks? (I said I had questions, not answers.)
Back to the element out of context point, how effective can security measures at this level be? Consider timing-channel attacks. I can run these from inside a VM nowhere near the IP, as long as I have access to an accurate timer. I just have to launch an operation that will use the IP. You could argue that attention to such attacks is out of scope for this work and should be the responsibility of a different standard. But that begs the question – how useful will this standard be if it does not consider such attacks? Answering that question requires a way to compare, at least approximately, the class of attacks that will be covered versus the class of all likely attacks (as anticipated within the lifetime of a device using the IP).
I could go on, but I do want to stress that, despite all my questions, I am very much a fan of this effort. Certainly the people contributing on the WG will know far more about security than I do and must see further and more clearly than I can. And frankly security is a huge problem, so every possible angle is worth exploring. I look forward to learning more as this develops. You can learn more about the Accellera WG HERE.