An Overview — Systems-On-Chips (SOCs) And Their Security Risks
Vedant Ghodke| 25th February, 2021
A System-On-Chip (SOC) is a microchip with all the necessary electronic circuits and parts for a given system, such as a smartphone or wearable computer, on a single integrated circuit (IC). Semiconductors are becoming more vulnerable to attacks at each new process node due to thinner materials used to make these devices, as well as advances in equipment used to simulate how those chips behave.
The SOC market is projected to grow to over $207 billion by 2023 according to a report released earlier this year. SOC technology is found across all industries and is used in embedded systems as well as general-purpose computing devices. However, despite its popularity, there is still ambiguity about the security of an SOC.
Security always has been a game of cat and mouse, where new vulnerabilities are exposed and then patched. Hence, to predict whether these new vulnerabilities and tools change the fundamental threat model is not obvious. On the contrary, what is clear is that there is much more to worry about, and it is no longer just about software! The accountability of the modules that encompass and manipulate the security of a device is still yet to be put under the microscope for thorough research.
There are several prevalent questions about the reliability of an SOC. An example is: “How secure are SOCs in this world of increasing breaches and threats?”. In this blog we as a group, have discussed and analyzed a few aspects of these issues and a few proposed solutions for the same. Let us delve into the depths of these issues and their cause-effect relations in this and the coming few articles.
Modern SOC designs include a wide variety of highly sensitive assets which must be protected from unauthorized access. A significant aspect of SOC design involves exploration, analysis, and evaluation of resiliency mechanisms against attacks to such assets. These attacks may arise from a number of sources, including malicious intellectual property blocks (IPs) in the hardware, malicious or vulnerable firmware and software, insecure communication of the system with other devices, and side-channel vulnerabilities through power and performance profiles.
Counter-measures for these attacks are equally diverse and in different verticals. These include design, architecture, implementation, and validation-based protection. Today, we live in a virtually connected world surrounded by billions of computing systems; continuously tracking, identifying, and analyzing some of our personal information, including health monitoring, live locations, calls, banking details, login credentials, social network activity and even internet browsing. The threat will grow even more, as these number of connected devices increases even further, and as more electronics is used in safety-critical applications.
Research shows that, the trend is towards even higher proliferation of such devices, with an estimated 500 billion smart, connected devices by 2030, according to a recent report by Cisco. These devices generate, process, and exchange a large amount of sensitive information and data (often referred to as “security assets”) which include security-critical parameters introduced during the system architecture definition. Malicious access to these assets can result in leakage of company trade secrets for device manufacturers or content providers, identity theft or privacy breach for end users, and even serious physical destruction.
Given the broad spectrum of vulnerabilities and corresponding mitigation strategies, the subject of SOC security today is highly fragmented. Different research groups focus on different aspects of the problem, without full understanding of the tradeoffs and synergies. The issue also persists for mobile phone devices which come with a vivid range of chipsets, each with a separate target functionality and audience. Shown below are a few latest ones (as of 2021).
Thus, in a nutshell, the goal of this blog is to provide a comprehensive overview of security assurance requirements and practices in modern SOC designs. Existing literature falls short of a widespread coverage on SOC security. And hence, in the upcoming sequel articles of this blog, I have discussed the SOC design lifecycle, identification of the security concerns tackled at each stage, and the challenges involved in addressing them.
After all, what can actually be inferred is the ability to weigh out these disadvantages and educate ourselves on the mentioned security vulnerabilities and their causes, and perhaps try and propose state-of-the-art techniques to avoid any such security mishaps!
Stay well, stay safe and stay updated!
