Embedded systems developers want to protect their intellectual property(IP) for financial, competitive, and legal reasons. Aside fromprotecting their own IP, developers may be obligated to securelibraries or rights managed content obtained from an outside vendor.Failing to protect the IP of outside vendors may expose developers tolegal and financial risks.
This article focuses on methods of securing IP in embedded systems.We will examine past and current approaches and look ahead to newembedded processing solutions that offer new options for developerswanting to protect their IP.
Techniques for protecting IP in embedded systems vary greatly. Thesetechniques rely on software, hardware, or a combination of both toprevent reverse engineering and IP theft.
Software-based IP Protection
Software methods for protecting IP in embedded processors are similarto those employed in the broader software industry: anti-disassembly,anti-debug, and tamper resistance.
Anti-disassembly. Anti-disassembly techniques attempt to make the static view of anexecutable reveal as little information as possible about the softwareIP in the executable. When employed correctly, anti-disassemblytechniques make it more challenging for an adversary to understand, andthus to reverse-engineer, the software.
An example of an anti-disassembly technique is self-modifying codein which a software program modifies itself at run time. An adversaryviewing the software statically will have difficulty figuring out thecode that actually executes at run time. Self-modifying code isinteresting, but implementing it without complicating the developmentprocess is a challenge.
Anti-debug. Anti-debug refers totechniques that prevent successful debug of software. A good anti-debugmechanism is one that doesn't alert the attacker to its existence. Ifattackers can't detect the presence of anti-debug mechanisms in thesoftware they are trying to reverse-engineer, they will be less likelyto succeed in identifying and disabling these mechanisms.
Anti-debug consists of techniques for debug detection and forresponse to debug attempts. Debug detection techniques includemonitoring changes in the values of debug registers, self-scanning forbreakpoints or emulation interrupts, and/or measuring time delaybetween various points in the code execution.
Once a process detects that it is being debugged, it may respond ina manner that prevents IP theft by, for example, avoiding itsproprietary algorithm and instead executing a more conventionalalgorithm.
Tamper resistance. Tamperresistance mechanisms are introduced into a software program in orderto prevent adversaries from modifying the program. Adversaries modifysoftware programs in order to make it behave in a manner different fromthat intended.
For example, to prevent software cloning ” making unauthorizedcopies of software ” a program may read and verify the unique device IDas a pre-requisite for execution. If the ID read does not match thatstored in the program, the program halts itself because there is a highprobability that it has been cloned and placed into a different devicethat has a different unique ID.
An adversary cloning the software program may attempt to patch it ina manner that makes it bypass the unique device ID check.Anti-tampering techniques hamper malicious code modifications by makingthe code more difficult to understand and/or by making the code likelyto fail in case of tampering.
Making the code more difficult to understand may be achieved throughthe use of a code obfuscator. Code obfuscators are essentiallycompilers that perform transformations on an input program in order toproduce a functionally equivalent but more difficult toreverse-engineer output program.
Making the code likely to fail in case of tampering may be achievedby calculating a hash of the software program at different pointsduring execution. If the program was tampered with, the calculated hashvalue will not equal the expected value, and the program may take stepsto evade the attacker.
In the absence of implementing a system with IP protection featuresintegral to its design, strategies that intelligently combineanti-disassembly, anti-debug, and tamper resistance can provide atleast some level of protection in inherently open systems.
Hardware-based IP Protection
Hardware methods for protecting IP in embedded processors attempt todrive up the cost of probing and reverse-engineering the system. Thesemethods can be implemented at the system level, board level or chiplevel.
System-level protection. One example of system-level protection is a mutual watchdog scheme.A small microcontroller and processor provide mutual watchdog timerservices. If either processor is halted or stops responding to theperiodic interprocessor communication (i.e. halted via JTAG, removedfrom board, etc), the other processor performs a countermeasure such aserasure of on-board FLASH contents, removal of power to the otherprocessor or in the most extreme case, physical destruction of theprocessors and memory devices themselves.
Board-level protection . Board-level protection methods can include methods which rely onobfuscating the hardware access points into the processors and datalines of memory devices. Board layout techniques and package selectioncan be employed to make it difficult to access critical data and signallines.
If sensitive information is transferred over unsecured data linesbetween memory devices and processors, these data lines can be probedand the IP can be intercepted during booting or other memory transfers.If critical signals cannot be accessed, they cannot be probed ortampered with.
Board layout can be done using blind vias and solid power and groundplanes to shield access to signal traces on inner layers. Critical datalines between FLASH and processor, as well as JTAG signals, can beplaced on inner copper layers.
Selecting BGA packages with fine ball pitch and placing criticalsignals away from the outermost rows of balls can further complicatemalicious attempts to probe signals carrying data between processorsand memory chips such as FLASH or DRAM.
Placing processor and memory packages as close together as possibleon the board makes it harder for attackers to locate and probe criticalsignals. These techniques make it difficult for attackers to accesssignals even when drilling through the PCB. The downside is that BGApackage selections and these board layout techniques (which add layersto the boards) will increase the cost of board manufacturing.
|Figure1. Placing processor and memory packages as close together as possibleon the board makes it harder for attackers to locate and probe criticalsignals.|
Other mechanical protection methods can be employed to hide chiplocations and obscure the pins/balls of the component packages. Forexample, encapsulation techniques can be used to cover sensitive areasof a board with opaque epoxy.
Multiple device packages can be placed inside the covered area, thushiding each individual chip's location, orientation and labeling. Thisis one means for hiding signals on packages with exposed pins such asLQFP and DIP packages.
It can also be a means of preventing access to the outer balls ofBGA packages and can be used to cover only critical areas or an entireboard. Yet another mechanical protection technique that furtherobfuscates components is the simple removal of labels from devicepackages.
Labels can easily be removed either at the time of manufacture orvia chemical or mechanical means. Many semiconductor devices areavailable in standard packages, making it difficult to identify thespecific device without opening the package. Packages can also berelabeled to appear to be custom ASICs.
Chip-levelprotection. Many processors contain on-chip memory includingSRAM, ROM or FLASH which cannot be easily read from outside the device.On-chip memory can be utilized to hold sensitive code and data thatmust be protected from access by unauthorized parties. Access toon-chip memory must be restricted from host devices, as well as fromemulator and test equipment via JTAG test ports.
Access restrictions can be implemented by blowing on-chip fuses todisable JTAG, or by providing no connection of JTAG signals frompackage to board. However, removing access to debug test portscomplicates failure analysis and system debug.
The methods described above can help secure sensitive code and dataon inherently open devices and systems; however, these methods canstill be bypassed. Chemicals can be used to strip away encapsulationsused to mask devices.
Common hand tools can be used to overcome mechanical protections.When all else fails, x-ray inspection can locate components anddetermine signal connections to bypass board level protection.
Chip Decappers, Scanning Electron Microscopes (SEM), VoltageContrast Microscopy techniques, and Focused Ion Beam (FIB) tools can beemployed by well-equipped adversaries to decap chips and perform dieanalysis. In general, “security through obscurity” is only a temporarydeterrent to a determined adversary. Without stronger protection inplace, an embedded system can, in effect, be hijacked.
A new way to do IP protection
While many embedded systems developers recognize a need for security,few are adequately prepared to implement it, and security is often anafterthought for many developers. Some attempt to add on security toinherently open devices and systems using some of the software andhardware methods described above. To fulfill the requirements ofdevelopers seeking stronger IP protection, embedded processormanufacturers are developing new products with security featuresintegral to their design.
IP protection in this new generation of embedded processors can beenabled by providing a privileged (secure) mode of operation in whichonly trusted code is allowed to execute. For an application toestablish trust and to reach the privileged mode of operation,standards-based cryptographic algorithms can be used to implementdigital signature authentication.
Only after successful verification of an application's digitalsignature does the processor grant the application the right to executein privileged mode. In order for an application to successfully passdigital signature authentication, it has to be signed using a secretprivate key known only to the signing party and then verified using thecorresponding public key, which can be stored on the processor itself.Once in privileged mode, a trusted application has access to protectedmemory and control over access restrictions.
Access restrictions prevent non-trusted applications from stealing,tampering with, or interfering in the operation of trusted applicationsexecuting in secure mode. Such restrictions may include disablingaccess via the JTAG test port, unauthorized access to on-chip memoryand registers, and unauthorized attempts to change control over programflow.
How might these features be used to protect IP? Shown below is oneapproach using the Analog Devices' Blackfinprocessor (Figure 2 below ). Assume that we have a softwareapplication containing proprietary algorithms we wish to protect.
We can encrypt the application using any established encryptioncipher (such as AES), store the application in flash in encrypted form,and store the decryption key in the Blackfin's secureone-time-programmable (OTP) memory.
A kernel can then be developed to load the application from flashand decrypt it. The kernel should be signed using the secret privatekey known only to the application developer. Upon successful digitalsignature authentication, the trusted kernel has access to the contentsof secure OTP memory and the decryption key stored therein.
Since only the trusted kernel has access to the decryption key, andsince an array of protection measures are established to preventnon-trusted applications from viewing the code of applications runningin secure mode, the software IP is not visible to any non-trustedapplication.
|Figure2: Implementing a software IP protection scheme|
By adding security measures that make it prohibitively expensive forthieves to steal IP, developers can help secure their systems. We'vepresented examples of software and hardware methods used to protect IPin inherently open systems.
Methods of employing security as an afterthought through obfuscationor mechanical protections are not as robust as implementations whosesecurity features have been designed in from the start. A newgeneration of embedded processors is appearing with integrated securityfeatures that meet the growing need for more robust IP protection.
Wassim Bassalee is a SW Systems Engineer at Analog Devices. He focuses oncryptography, security, and their applications in embedded systems.
Phil Giordano is a Senior Applications Engineer with AnalogDevices. Hejoined Analog Devices in 1998 and is currently involved in new productdevelopment of embedded processors with a focus on security features.