GSA Forum GSA Forum Homepage
home Articles semiconductor member news foundry focus back-end alley supply chain chronicles industry reflections global trends and insights private showing innovator spotlight forum archives
Articles AdvertisementsTSMC

Processing Security – A Dimensional Requirement

J. Ryan Kenny, Product Marketing Manager, CPU Technology

The year 2009 is seeing a rapid convergence of both security incidents in information systems and a renewed effort to apply new design and test standards to both federal and commercial systems. Though information security has traditionally been in the realm of software engineering (outside the government), this article will attempt to offer a brief summary of the different forces impacting modern security needs and requirements in processor design, and will predict an increase in secure processor offerings in the near future.

The history of processing security is consumed with two types of notable events: (1) major security incidents that modify security beliefs and (2) major consolidations of practices into national and international standards. The history of these events roughly divide into software/hardware tampering, the evolution of encryption standards and thinking, and events regarding trusted computing platforms and operating systems.

Figure 1. Short History of Security Events in General Processing
Figure 1. Short History of Security Events in General Processing

These events have evolved into a variety of security requirements with respect to military, federal and consumer processing systems. Anti-tamper requirements are inherently difficult to document and publish, so there are a great deal of social and political processes involved with fielding tamper-resistant systems. Encryption standards are fairly well-known and published, but cover a narrow set of encryption types. In addition, recent problems with physical encryption key security have cast doubts on the "real" security of otherwise compliant encryption modules. Finally, there are still at least two divergent standards pathways for trusted computing platforms, both of which are important to understand.

Anti-Tamper Events

Reverse engineering adversary technology has roots going back to metallurgy and early firearms. This activity has only increased with the use of electronics systems, defense software and modern encrypted communications. Its modern definition, according to the U.S. Department of Defense (DoD), is shown below.

Anti-Tamper (AT) encompasses the systems engineering activities intended to prevent and/or delay exploitation of critical technologies in U.S. weapon systems. These activities involve the entire life-cycle of systems acquisition, including research, design, development, implementation and testing of AT measures.

The loss of some military technology due to reverse engineering has led to several initiatives by the DoD, the most recent of which is an anti-tamper policy released in 1999, followed by the designation of an anti-tamper executive agent in 2001 (controlled by the U.S. Air Force). This newly established body has created an assessment process for the tamper resistance of new military equipment that is subject to military capture, or loss through logistics failure or poor foreign military sales (FMS) policy. In addition to the assessment process, new guidance has been issued to all weapon systems designers to identify all critical program information (CPI) in a system and a plan to protect that information through anti-tamper mechanisms.

Encryption Standards

One of the tools of data system security and anti-tamper systems is data encryption. Encryption research and assessment has been the work of the U.S. National Security Agency (NSA) since its inception in 1949, but multiple commercial bodies have also researched and developed public and private encryption standards.

NSA and the National Institute of Standards (NIST) arrived at a common encryption standard for government systems. This standard is called the Advanced Encryption Standard (AES). AES has its own standards document: FIPS 197. NIST and NSA also released a security standard for the encryption modules themselves called FIPS 140. Systems assessed for compliance under FIPS 140 typically use FIPS 197. Most government and some commercial encryption systems are now required to conform to FIPS 140 for the physical implementation of their encryption modules. The current version is called FIPS 140-2.

While there are many laboratories that can now assess compliance with FIPS 140, many national assessment bodies are discovering that the actual implementation of FIPS 140 and FIPS 197 yields a very non-standard level of security. That is to say, many implementations of the AES encryption standard have been insecure because of how they are implemented and how the encryption keys are stored.

This is an important topic in the design and manufacture of secure processors, as the processor architecture plays a key role in how encryption keys are stored and used. This has been featured in news items recently, where malicious players have been able to extract encryption keys from hardware that protects PIN numbers at automated teller machines (ATMs).

ISO, Common Criteria and "Trusted Computing"

End-to-end security requirements for processing systems now have a vast array of different standards and assessment bodies with little commonality. Many of these standards refer only to the design of hardware or to the design of applications and software, while others attempt to assess the security level of only one layer at a time in a system. The objective of trusted computing is to enable a system of hardware, operating systems and interconnects in such a way that individual users can be authenticated and a set of policy-based rules can be enforced.

Probably the most well known security certification is the Common Criteria assessment (ISO/IEC 15408). This certification is the result of an international treaty called the Common Criteria Recognition Agreement (CCRA) that consolidated basic definitions and security methodologies for certification in the mid 1990s.

Common Criteria assessments are carried out on operating systems, bus and computer platforms, peripherals such as smart cards, and firewall hardware\software. Labs that are ISO-certified to perform Common Criteria assessments are contracted to perform them. The objective of the Common Criteria rating system is to enable a large number of security-assessed computer components to be matched together, such that the overall security state of the system is that of its "weakest" member or lowest level of certification.

Though the Common Criteria assessment rating of a component (called the evaluation assurance level (EAL)) is rarely specified in procurements outside of a few government systems, achieving a higher EAL in a component will make the component more desirable in the design of secure systems.

Security Requirements in Systems

Security incidents and vulnerabilities revealed in the last few years have exploded into a new set of security requirements in both government and commercial systems. Among these is the discovery of cloned networking equipment in the last 10 years, which hurts the brand image of the manufacturer and places unknown digital content into U.S. networks. The fabless separation between design and manufacture in semiconductors has raised concerns about the potential of placing malicious circuitry into a vendor's chip supply with virtually no way to detect the malicious alterations.

Anti-Tamper

The requirements for anti-tamper protection are probably the least developed and, certainly, the least documented. The actual sources of these requirements from the military standpoint come from the DoD instruction 5200.39 and the DoD 5200 series of acquisition manuals. These require a program protection plan (PPP) in acquisition planning that identifies all the CPI in a defense system, and a plan to protect that information in case of a security breach or reverse engineering.

There are no strict written standards for complying with instruction 5200.39 and PPP requirements. However, these information protection plans must show distinct ways in which sensitive and valuable information is protected in a system, and these plans are reviewed and approved by Pentagon officials during acquisition milestones.

In documenting these plans at various milestones, acquisition officials will refer to past security assessments of systems and components in the system. As an example, if a processor is used in an aircraft system, acquisition officials will request documentation of past vulnerability assessments and security assessments of that processor, and make recommendations based on those assessments.

Therefore, component anti-tamper assessments are very important in getting parts selected into programs with CPI. Historically, these assessments have been performed by a variety of different government labs (Navy, Air Force, Department of Energy, NSA, etc.)

Trusted Source

A Pentagon office called the Defense Microelectronic Activity (DMEA) established a program office called the Trusted Access Program Office (TAPO). This office performs accreditation of companies as trusted suppliers to the U.S. government.

The designation of a trusted supplier includes examination of all phases of design and acquisition. Therefore, a manufacturer with a trusted supplier designation has supplier benefits with respect to manufacturing and manufacturing logistics. However, another supplier without this accreditation may control program phases in early design and development. Having a trusted supplier accreditation as an integrator includes all phases of design tool access, material handling, test and article logistics.

This accreditation is performed on a facility, company or division, and is not program- or application-specific.

Trusted Computing

There are two basic sources of commercial certification and assessment for a trusted computing platform. The first is the Common Criteria assessment and the second is compliance with a new industry consortium called the Trusted Computing Group (TCG). NSA usually performs additional levels of "hidden" assessments for government and sensitive information systems.

The Common Criteria assessment is most commonly performed on applications and operating systems. Single-user computer platforms and servers are sometimes certified as well. The degree to which components of an information system need to undergo Common Criteria assessments depends on the requirements of the government or institutional user of the system. This certification is typically not performed on a processor architecture by itself, but on a computer system.

There are seven levels of assessment referred to as EALs:

  • EAL One: Functionally Tested.
  • EAL Two: Structurally Tested.
  • EAL Three: Methodically Tested and Checked.
  • EAL Four: Methodically Designed, Tested and Reviewed.
  • EAL Five: Semi-Formally Designed and Tested.
  • EAL Six: Semi-Formally Verified Design and Tested.
  • EAL Seven: Formally Verified Design and Tested.

TCG has been active in defining common data and software security standards for commercial systems. Of particular interest is a standard for a trusted processing module (TPM) aimed at supplying secure boot and protection of encryption keys within a processor module. There are few products today utilizing the standards provided by this group, though security standards often take many years to gain momentum and acceptance.

Security in Processor Design

Security as a requirement in new silicon design is certainly something that will experience a high level of "dimensionality." This means that there will continue to be some federal and military systems with the highest levels of security requirements, and others with financial and proprietary needs with more modest security goals. 

At both ends of this spectrum, systems developers are making two realizations: (1) software solutions are not enough, particularly with respect to counterfeiting and reverse engineering threats and (2) the most developed standards for security are those developed for government purposes with the strictest security requirements. System and processor designers are likely to utilize these standards in their security requirements rather than write their own, despite the steep probable compliance curves involved. At the very least, they are likely to reference these standards and state exceptions to them.

As these standards become referenced more in the next five years, secure standard and embedded processor offerings are likely to increase.

About the Author

J. Ryan Kenny is a product marketing manager at CPU Technology. He is responsible for market development for Acalis and secure processor products. He joined CPU Tech in February 2009 and has over 10 years of experience in space and defense electronics in the government, defense and industry. He graduated from the U.S. Air Force Academy and completed an M.S.E.E. and MBA from California State University Northridge and Santa Clara University, respectively.

Resources

Hallam-Baker, Phillip. "The DotCrime Manifesto – How to Stop Internet Crime" Addison Wesley, 2008.

Keller, John. Editor-in-Chief, Military and Aerospace Electronics. "It is time to take anti-tamper technology seriously." Military and Aerospace Electronics, February, 2009.

Defense Technical Information Center (DTIC). "Critical Program Information (CPI) Protection Within the Department of Defense" July, 2008. http://www.dtic.mil/whs/directives/corres/pdf/520039p.pdf.

Report to Congress, U.S.-China Economic and Security Review Commission, 2007. http://www.uscc.gov/annual_report/2007/annual_report_full_07.pdf.

National Institute of Standards (NIST). "Security Requirements for Cryptographic Modules." May, 2001. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.

National Institute of Standards (NIST). "Advanced Encryption Standard." November 26, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

Trusted Computing Group. Trusted Platform Module Specification and Workgroup.
https://www.trustedcomputinggroup.org/groups/tpm/.

Halderman, J Alex. "Lest We Forget: Cold Boot Attacks on Encryption Keys." 17th Usenix Security Symposium. San Jose, CA. August, 2008. http://www.usenix.org/events/sec08/tech/full_papers/halderman/halderman.pdf.

Wired Magazine Security Blog. "Pin Crackers Nab Holy Grail of Bank Card Security." April, 2009. http://blog.wired.com/27bstroke6/2009/04/pins.html.

Back to Articles Home
Advertisements
Siliconaire
Chartered Semiconductor
Forum Home | Articles | Semiconductor Member News | Foundry Focus | Back-End Alley | Supply Chain Chronicles | Industry Reflections
Global Trends & Insights | Private Showing | Innovator Spotlight | Forum Archives | GSA Home