Research Programme in Assuring Hardware Security by Design in Systems on Chip


Research thrusts


Thrust 4 is focused on the coordination and the integration of the outcome of thrusts 1-3 into cohesive design methodologies, composition of proposed techniques and system demonstration on silicon. Accordingly, as shown in Fig. 7, thrust 4 represents the common ground on which all other thrusts interact on.

The design and system integration in thrust 4 will leverage the expertise and capabilities of the SOCure team, which has well-documented experience in research leading to tangible demonstrations of attacks and silicon prototypes. Some of the team members have proven capability to successfully design a wide range of silicon demonstrators that lead the state of the art in the most prestigious venues in the integrated circuit community, with steady presence at ISSCC [GRE] (only PI in Singapore and most of Asia with papers accepted every single year). Same considerations hold for another team member in terms of silicon demonstrations in the architecture community and steady presence at ISCA[PEH]. Our research laboratories have world-class expertise and capabilities in terms of access to CMOS technologies, industry-standard design tools, testing equipment, and collaboration with semiconductor industry. Other team members have well-proven expertise and state-of-the-art capabilities in terms of hardware attacks [PAC], and lead the related state of the art. Other team members have well-documented expertise in terms of architectural design methodologies [TRV], [MND] and protocol-level attacks [BPS]. The industrial partners are all leaders in the relevant sectors, ranging from manufacturing and design (currently in the process of joining the team), pre-silicon security evaluation [SIC], and invasive and non-invasive reliability/failure chip analysis [SEM].

Thrust 4 serves as a verification platform for the threat models, the assumptions, the research ideas, the resulting solutions, the design methodologies, and the related design tradeoffs between security and circuit overhead. Being the point of convergence of all research activities, the execution of thrust 4 is crucial to the success of the overall project.

In detail, the primary objectives of thrust 4 are:
platform to implement and validate the technological innovations
demonstrate and quantify the benefits and effectiveness of these innovations
consolidate these technologies into a unitary design paradigm, including design methodologies and tools
validate the effective interaction of the proposed techniques, and their synergy in achieving overall system-level security and mitigating the area/energy overhead compared to existing state-of-the-art approaches.
assess the iterative security evaluation methodology in Fig. 6 via systematic comparison of the pre-silicon and the post-silicon assessment outcomes
evaluate the potential of new attacks or combinations according EAL criteria
translating design concepts into silicon prototypes with measurable performance and security, as proof of concept for successive translationpushed by the industrial partners or other companies in Singapore
generate tangible results to engage a wider number of industrial players in Singapore, and create a complete ecosystem and hardware security supply chain
benchmark proposed technologies with state-of-the-art industrial designs

Being a crucial security primitive, the root of trust (i.e., PUFs) will be assessed by experimentally characterizing the silicon demonstrators with a thorough list of commonly agreed performance metrics such as uniqueness, randomness, repeatability, identifiability, energy/bit, throughput, process/voltage/temperature margin, area/bit, and several others [M13]. In particular, randomness will be assessed with multiple methods, including the execution of the NIST test suite [NIST10], the autocorrelation function to highlight potential spatial correlation among bits, the 0/1 bias and the related entropy, and the speckle diagram inspection [M13]. In addition, the same metrics will be evaluated under accelerated testing (i.e., burn-in testing) to quantify the effect of aging on the progressive degradation of the PUF performance across the entire lifecycle of a SoC. This will be performed by providing an appropriate supply voltage beyond the nominal value and operating the chips in a high-temperature environment (e.g., 125 oC, as provided by a temperature chamber). Conditions will be based on aging models provided by the foundry, to accurately mimic the typical 10-year lifetime of commercial devices.

At the end of the project, silicon demonstrators will be delivered as proof of concept for the research topics investigated during the project, as detailed in the list of deliverablesin Section 5. The final demonstrator will incorporate several sub-systems that demonstrate the effectiveness of the proposed techniques under attacks that involve the mutual interactionof architecture and physical protection (thrusts 1-2),as well as combined attacks (thrust 3). The approach based on the demonstration of several simpler sub-systems rather than a complete system on a chip is justified by the well-known fact that a full SoC demonstration would take a very large engineering effort that is comparable to the available budget (or larger, under typical complexity), and would not add research value. This is due to the considerable design/verification effort, as well as the cost (due to very limited availability to non-direct customers) of Intellectual Properties for the entire infrastructure of an SoC, ranging from testing and debugging, memory controllers, generators for large on-chip memories, among the others. At the same time, the chosen approach of demonstrating the effectiveness of each technique by focusing on the involved sub-systems assures very solid demonstration, as all sub-systems that interact on a single or combine attacks are implemented and experimentally characterized. In addition, the demonstration of the system-level architectural aspects are thoroughly covered in the demonstration in thrust 2, which includes the analysis of a full SoC being able to run an operating system and the benchmark software defined in thrusts 2-3.

In detail, the final demonstrator will include
all PUFs in thrust 1 integrated with the corresponding modules that require hardware authentication (e.g., routers, core)
links with architecturally and physically secure NoC
sub-systems to study the architecture-physical interaction (i.e., cri tical blocks such as the Simon crypto-engine
NoC power/timing/security characterization using on-chip packet generators and a secure core (e.g., MSP430, low-end RISCV)
secure core, cryptoengine and NoC to evaluate the ability to counteract DoS attacks and prohibit man-in-the-middle attacks and eavesdropping
any other sub-system and physical protection technique that will need a further refinement, based on the characterization of testchip #2 (2
nd silicon round) in thrust 1

The collaboration with RISE in the context of this thrust will be devoted to novel remote attestation approaches. Attestation adds an extra layer of security by allowing a remote party (e.g. cloud server) to verify the firmware state, the configuration state of the IoT device, and the physical integrity. The hypothesis is that there is some small low-level non-updatable circuitry that cannot be compromised, which computes a signature over the entire memory of the device. In this way, if the larger firmware is compromised, the configuration is manipulated by an adversary, and/or a chip is replaced on the board considered for remote attestation, then this can be detected by the attestation process. The insertion of lightweight crypto-engines to encrypt the output of the boundary-scan test port of each chip will be investigated, with keys being generated by a separate PUF on each chip.