Given recent events, its time for chip makers to take a page from the software vendor handbook and step up their game in heading off potentially costly threats.
A Secure Development Lifecycle (SDL) for hardware with appropriate hardware security products could have prevented the recent Meltdown and Spectre vulnerabilities affecting Intel, ARM and AMD processor architectures. An SDL is the process of specifying a security threat model and then designing, developing and verifying against that threat model.
Many in the software domain are familiar with SDL, which is a process invented by Microsoft to improve the security of software. To make this process as efficient as possible, the software domain is filled with widely deployed static and dynamic analysis tools to provide automation around security review for various stages of the development lifecycle.
Chip companies, on the other hand, seldom have rigorous processes in place. Even worse, the ones that have some sort of SDL are not equipped with security tools able to effectively identify security vulnerabilities. The result is security teams (if they exist) manually reviewing block diagrams, verification plans, and design and architecture specifications. This ends up being time-consuming, not automated and prone to human error, and consequently leaves companies susceptible to costly vulnerabilities especially due to changes introduced late in the design cycle.
Hardware SDL is a necessity moving forward to identify and prevent vulnerabilities like Meltdown and Spectre. It will provide upper management with more insight into the associated risks and able to make informed business decisions about security.
The SDL can be applied easily to improve the security of modern semiconductor designs and, in general, uses following steps:
Each of these steps already overlays the way semiconductor companies design and build their devices.
Specify Security Requirements
During product requirements stages of a semiconductor design, it is important to think about what parts of the design will need further threat modeling, penetration testing or fuzz testing later in the SDL. This stage serves as a way of identifying that further threat modeling is needed during the Design/Architecture stage.
At this stage, it is important to perform threat modeling on portions of the design deemed to be important for security as identified during the first step. Threat modeling is the process of considering appropriate capabilities of an attacker, what they aim to achieve from the attack, and how they might perform it using acceptable amounts of resources, such as money and time. At this stage, this type of threat should be identified to prevent it during implementation.
When implementing the design, it is important to follow the threat models put forth in the prior step and design with intentions of adhering to them. The use of some automated hardware security platforms is beneficial here to ensure implementations are secure features based on the threat models and improve the manual effort involved.
For the semiconductor industry, functional verification is important. For the SDL, security verification is equally as important. At this stage, all security features implemented must be verified to be secure. Manual review often is used here and automated hardware security platforms reduce the level of effort required to perform this step. Once silicon is received, it may be important to perform fuzz or penetration testing depending on what the security requirements were in Step 1.
Release and Response
Before silicon is shipped to customers, it is important that these steps are all signed off on to ensure that the SDL has been properly followed and accepted by the appropriate security leads in the organization. Individuals ready to handle security support responses in a timely manner should be available if a vulnerability is identified outside the threat models.
Even a small investment in this type of process can have a dramatic difference on the security of the final silicon.
— Dr. Jason Oberg, is CEO of Tortuga Logic, a provider hardware security products that identify security vulnerabilities through the chip design lifecycle by analyzing the chip design based on a security threat model.