Security scenarios in embedded design

25 September 2002 News

As FPGAs grow in capability through the million-gate mark, they are being used for ever more complex and valuable designs. This trend toward FPGAs raises questions about embedded design security, a subject that is not well understood at this time. Using a number of typical cases from various industries, the following scenarios illustrate some common security problems facing today’s designers and possible solutions needed to prevent future infringements. These security scenarios were developed by a third party expert in the field of security engineering as part of a study funded by Actel.

Run-on counterfeit

Red Sound Incorporated makes MP3 players for sale in the USA and Europe. A household brand, Red Sound subcontracts the manufacture of the devices to Lotus Audio in Bangkok. After producing 250 000 units for Red, Lotus makes an additional 100 000 identical units (including not just Red's design but also its label), which are then sold through grey market importers.

Comment: Run-on fraud is the largest single source of counterfeit goods and in some sectors, the sole source.

Requirement: Red Sound needs a mechanism to stop overproduction. Many different industries have incurred this type of problem. For example, in the cosmetics industry, ingredients and packaging are sourced from multiple suppliers whose identities are kept secret from the contract manufacturer. One strategy is to program in-house and supply only programmed parts to the manufacturers. An alternative method is to use keys (embedded in an auditable quantity of FPGAs - supplied by a vendor or trusted third party) that enable Red Sound to lock (and protect) its bitstream.

Data manipulation

Blue Phone is a GSM operator in France, where handsets are subsidised by the service providers and sold for a nominal amount to users, provided the customer signs a one-year service contract. The problem occurs when grey market traders buy phones for resale in countries such as Norway and Singapore where handsets are not subsidised. This effectively robs both Blue Phone of its subsidies intended for French users, and in some cases, allows users in foreign markets to obtain unauthorised access to its local mobile networks without paying.

Comment: Past attempts to prevent grey exports using handset software have been circumvented by pirates within a few weeks.

Requirement: Because of the prevalence of subsidies in mobile phone business models, many phone companies are anxious that the new, expensive WAP and 3G handsets now being introduced be tied firmly to the home network. Handset vendors want to assure the phone companies that handsets will be difficult to reprogram. There is little concern about 'knock-off' copies of phones, because of the scale economies required to achieve competitive prices and because of the regulatory environment. In order to make the phone secure, it must be made very costly to change a particular variable in the phone, (eg, the identity of the home network). Typically achieved with secure, serialised, or system-authenticated programmable devices, this solution is similar to another well-studied problem: software protection using dongles.

Software copying

Green Mapping sells software to make maps from aerial photographs. Its customers are mostly local governments, buying the systems for $20 000. Approximately half of the cost results from the hardware (scanners and plotters), while the remaining expense is the software. As the price of hardware decreases, Green Mapping has become increasingly anxious about piracy. The company wants to implement a high-quality hardware dongle that must be present for its software to run, which will eliminate security problems.

Comment: Many software companies used dongles in the early 1980s, after which they went out of fashion. They are reappearing in sectors with high-value products. In 1998, about a million dongles were sold worldwide at an average price of approximately $20.

Requirement: A medium-quality dongle might contain a digital signature mechanism that the program would challenge from time to time. The main threat is that a pirate will patch out the calls to this mechanism. A better solution is to implement some important part of the program logic in the dongle, such as a digital filter or part of a rendering algorithm. After using this method, a successful attack would necessitate either copying the device completely or understanding its critical functionality.

Compatibility control

Purple Games Incorporated sells a gaming console. Its plan for success employs a business model in which royalties from game sales and accessories subsidise the cost of the consoles. Purple Games has, therefore, implemented an authentication mechanism for its game cartridges using an FPGA. The company is very anxious to prevent third party vendors from copying its products, or reverse engineering it to the extent that they can make compatible cartridges. Purple Games' choice of attack involves utilising the Digital Millennium Copyright Act (DMCA) very aggressively against unlicensed suppliers.

Comment: Several game companies have used FPGAs due to their fast time-to-market advantage.

Requirement: The requirement is for a tamper-resistant chip that combines copyright control and accessory control functions, while still being difficult to reverse engineer. Additionally, low design costs are necessary, as some accessories' retail prices are less than $10.

Product versioning

Tartan Scientific Instruments sells oscilloscopes and similar test equipment. In its business model, products are versioned according to the amount of high-speed RAM available; academics can buy an oscilloscope with 8 Mb of RAM for $4000, while the professional version has 64 Mb of RAM and costs $17 000. All products have the same hardware; the difference is that customers paying the professional price get a password that unlocks the extra memory. This mechanism has been defeated, and the password circulates on the Internet. In the future, Tartan wants to use an FPGA to better protect its next model.

Comment: Product versioning and price discrimination are now the fastest-growing application area for cryptography and related information security mechanisms.

Requirement: The FPGA will check the password and also perform some critical signal-processing role. Additionally, a mechanism whereby it encrypts access to the memory might also be an adequate solution.

Secure reconfiguration

The NSA has been working with several companies to develop prototypes for secure reconfiguration of FPGAs. Rather than having an external device, such as a microcontroller manage the download of a bitstream, its goal is to have a 'security kernel' in one of the chip contexts that can be used to authenticate the download of other contexts.

Comment: Several large consumer product companies have been investigating this issue.

Requirement: Given a suitably trustworthy download authentication mechanism, it should not be necessary for FPGA customers to develop their own. The NSA's stated requirement is that the bitstream comes from an authenticated source, that it should not be changed whether maliciously or inadvertently, and that its confidentiality should be protected.

Classified cipher chip

The NSA launched the Clipper chip in 1993, containing the then-classified block cipher Skipjack and a protocol mechanism whose goal was to ensure that the chip would not decipher any material unless its key had also been enciphered with a key known to the US government. It implemented the design using an antifuse technology to ensure security.

Comment: The protocol turned out to be defective and the product was withdrawn, but later variants of it (Capstone) are employed today.

Requirement: In this case, the requirement included keeping the Skipjack block cipher confidential (otherwise people could have built compatible equipment that did not give the government sole access to keys). This meant denying an attacker the ability to analyse the chip's operation by analysing the power consumption or dropping a microprobe on the surface and observing the intermediate results of computations. Therefore, the chip was not a standard FPGA but was equipped with special noise generators and encased in a protective coating.

Trusted configuration management

Intel is leading a consortium, the Trusted Computing Platform Alliance (TCPA), whose goal is to furnish every PC with a monitor chip that will implement digital rights management. The monitor will be a secure hardware device that will supervise the PC's operation and certify to third parties that the hardware and software are trustworthy. In other words, they will not make unauthorised copies of the content available to third parties.

Comment: This is likely to be controversial. Attempts to introduce legislation to make such monitoring devices mandatory have met vigorous and principled resistance.

Requirement: The requirement calls for a tamper-resistant chip that is able to support the TCPA protocols (which include digital signature). The need will most likely be met by the smartcard vendor community for mass market products. It appears likely that mass standardisation of security monitor chipsets will displace sales currently made via dongle vendors and for application protection.

Litigation risk avoidance

Orange Appliance is producing consumer appliances in professional audio processing, an area troubled with litigation. Orange Appliance wants to keep the signal processing algorithms it uses secret in order to avoid the costs of being sued by competitors, who might use valueless patents in order to impede the company.

Comment: The threat of vexatious litigation was the reason cited by IBM in the 1980s for no longer supplying source code for operating systems and is a reason cited by Microsoft today.

Requirement: The requirement is that the cost of reading out and understanding the bitstream should exceed the cost of successfully bringing a lawsuit, or part of a lawsuit, to compel its disclosure.

For more information contact local Actel representative, ASIC Design Services, 011 315 8316.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Plan your media strategy with Technews Publishing
23 October 2019, Technews Publishing , News
Dear Marketer, Have you ever looked back on a year and wondered how you survived it? For the majority of South Africans, 2019 started benignly enough, cosily wrapped in the blanket of Ramaphoria that ...

From the editor’s desk: Getting charged up for the new year
25 November 2019, Technews Publishing , News
The Springboks’ Rugby World Cup triumph in Japan couldn’t have come at a better time for South Africa, as the country was in desperate need of a jolt of positive energy going into the festive season. ...

Battery Technologies Conference 2019
25 November 2019 , News, Editor's Choice
Batteries are a critical enabler of the Fourth Industrial Revolution, powering technology in products from laptops and handheld devices to electric vehicles and renewable energy storage.

Boom, doom and gloom, or something completely different?
25 November 2019, Technews Publishing , News, Editor's Choice
As the end of 2019 looms, it’s time to look ahead to what next year might have in store, and reflect on the year gone by. And what a year it’s been.

Actum Group remains resilient and optimistic for 2020
25 November 2019, Actum Electronics , News
Running a profitable business in South Africa is not for the fainthearted. With the national treasury downgrading this year’s growth forecast from 1,5% to 0,5%, and state-owned entities like Eskom negotiating ...

Additional renewable energy development zones proposed
25 November 2019 , News
The second phase of the Strategic Environmental Assessment (SEA) for wind and solar photovoltaic (PV) energy in South Africa proposes three additional Renewable Energy Development Zones (REDZs) for wind ...

Locally developed electronic circuit builder for students
25 November 2019, K Measure , News, Editor's Choice
K Measure, creator of the award-winning Seebox engineering education solution, has created a new innovation to enable quick and easy electronic circuit-building. The SeeBlocks electronic circuit creator ...

Clearing the Static:Topic 9: Time to audit your ESD environment
25 November 2019, Actum Electronics , News
Now that we are nearing the end of the year, it is a good time to audit your existing static control products and procedures. The first line of defence should be your antistatic floor, since this is the ...

Winning hackathon entry curbs cell tower battery theft
25 November 2019 , News
The fourth annual TADHackJHB was held at MTN’s head office in Fairland, Johannesburg, on 12 and 13 October, with a cell tower protection app emerging as the winner. The theme for the 2019 global TADHack ...

Products of the Year 2019
25 November 2019 , News
SmartServer IoT by Adesto    BAW-based chips for comms infrastructure    Cellular modules for LPWA applications    SoCs and software for smart home and IIoT    Secure element for IoT authentication    MPU for embedded ...