As the Internet-of-Things (IoT) market continues to grow, the industry is coming to grips with the need to secure their IoT systems across the entire spectrum of IoT devices (edge, gateway, and cloud). One need only look back to the 2016 distributed denial-of-service (DDoS) attacks that caused internet outages for major portions of North America and Europe to realize how vulnerable the internet is to such attacks. Perpetrators, in that case, used tens of millions of addressable IoT devices to bombard Dyn, a DNS provider, with DNS lookup requests. Analysts predict that by the year 2020, there will be over 212 billion sensor-enabled objects available to be connected to the internet. That’s about 28 objects for each person on the planet. While the opportunity for disaster seems obvious, the opportunity to make a lot of money on IoT is even bigger, so the industry needs to urgently address the problem. How can you make your IoT SoC devices secure?
Recently I attended the CDN Live event in Burlington, MA where I had the chance to sit down with Mark Beal (CTO) and Steve Stecyk (Director of Engineering) of Intrinsix, a design services company, to find out how they are helping their clients deal with IoT device security. It was a fascinating conversation as they had just recently released a new drop-in ready IoT security sub-system IP that is NSA Suite-B compliant and they were demoing the system to prospective customers at CDN Live who use Cadence’s Tensilica cores. I’ve captured a few highlights from that conversation as I felt they address some points that all IoT devices engineers may find interesting.
First, the Intrinsix security sub-system is offered as synthesizable RTL IP that is CAD-tool and technology-platform agnostic. Intrinsix was obviously catering to Cadence users at CDN Live, but their IP can be readily ported to any standard CMOS platform and EDA toolset. Its claim-to-fame, other than being super easy to use, is its incredibly low power profile, typically 10X better than what is offered using standard CPU-based security methods. Intrinsix leveraged more than 1000 equivalent-years of design experience to create a specialized hardware and software cryptographic accelerator security sub-system that is responsible for providing a secure boot environment for ARM, RISC-V, and Tensilica-based IoT systems.
When one mentions dedicated security accelerators, it seems counter intuitive that this would make for a lower power system. Why would more hardware mean less power? First, remember that this dedicated hardware has one purpose and because of that, it is optimized for the task given it. That means no wasted cycles when it is doing its job.
Second, the real power savings comes when the IoT device is turned off (which for many IoT edge devices represent about 99% of their lifetime). However, this is a bit of a misnomer. To stay responsive, most IoT systems don’t fully power down. They instead go into a sleep state using the processor to monitor a wake-up pin. The memories of the device, however, remain fully up and running, consuming power. The reason for this is that if you power off the state of the system, you must go through the authentication process again to ensure a secure boot when it’s time to wake back up. This authentication process takes time, typically on the order of multiple seconds if you are using the system CPU to do the work and that cuts down on system responsiveness. By using accelerator technology, Intrinsix cuts this time from seconds down to milliseconds, regaining system responsivity. Being able to turn off 99% of the chip allows Intrinsix to reduce power consumption by up to 1000X and increase battery life by as much as 10X. All the while, the area consumed by the accelerator hardware is negligible, and even with the lower power consumption, they can still provide device security that meets NSA Secret level requirements.
The architecture of the security sub-system is self-contained and provides the secure boot environment for the SoC. This approach means that the sub-system has its own security processor, security ROM, and various engines needed for authentication, encryption/de-encryption, random number generation, and establishing secure tunnels for over-the-air updates (OTA). The system maintains control of the rest of the SoC until it can make sure the device is securely up and running, after which it turns control over to the SoC’s host processors. The security sub-system also contains a monotonic counter that is used to check the validity of updates coming in, ensuring that a nefarious actor cannot take the system back to a previously valid but possibly more susceptible version of the firmware.
In addition to the IP, Intrinsix also provides best practice design services to their clients to ensure their SoC takes full advantage of the security sub-system. One example of this is how they deal with design-for-test (DFT). DFT by its nature is meant to “open up” the system logic for manufacturing test. DFT can cause security problems when the SoC is in the field because the testability ports could be used for unauthorized access to registers that the security system protects. Intrinsix uses a strategy that enables SoC testability while the system is still unprovisioned. When the security sub-system’s one-time-programmable (OTP) memories are loaded with public keys and secure boot firmware, the provisioned system then has logic that detects that the OTPs have been written and disables the DFT ports from further use. Very slick.
There was a lot more to the conversation, and I’ll try to follow up with more information in later articles but suffice it to say, I found it refreshing to see that Intrinsix and the industry are indeed working hard to make IoT SoC designs secure.
If you want to learn more about Intrinsix and their IoT offerings, you can find them online at the link below, download their IoT eBook, or you can visit with them at the upcoming IoT Security Developers Conference being held in Santa Clara, CA on September 28th.