The verification of hardware security vulnerabilities is an expanding critical requirement in many semiconductor industry sectors. Yet the problem is far from being fully understood, let alone solved, making this a highly topical area for this conference. New verification solutions, such as Test Suite Synthesis based on the Accellera Portable Stimulus Standard (PSS) offers potential to take methods pioneered using formal tools and expand them for application on an SoC macro basis. This tutorial will explore a real application, in progress at large semiconductor company, where PSS was used to drive a security verification methodology. This method has the potential to be applied to many security issues.
Hardware security mechanisms come in a number of shapes and sizes. However, many of them can be boiled down to the idea that a protected region exists on a device and potential vulnerabilities, which allow this zone to be either written to or read from, need to be exhaustively analyzed. This protected region could be a memory segment or register set address space on a bus, or it could be a register holding an encrypted key or a control for a critical action, for example. Vulnerabilities can take the form of an unexpected write or read access to this region from an unexpected source, or another access point such as a debug interface or scan path. It might take the form of a sequence of activities triggering unexpected behavior.
All potential vulnerabilities need to be examined, but this assumes that every vulnerability can be predicted by the verification team, and then tested. This is a significant leap of faith. Formal tools have been exploited given their ability to analyze the entire state space of a secure block. The idea behind the formal approach is to state the legal read and write mechanisms, and then simply ask the question, is there another path to or from the protected region that has not been specified. This is a good solution for small blocks but, as with many formal solutions, the state space explodes when this approach is applied to a device of a reasonable size, such as an SoC with protected memory regions.
Test Suite Synthesis, using a verification intent described with the PSS, can make use of this basic idea, but apply it at a macro level. The PSS described intent takes the form of a graph that mimics the methods used to access the protected region, similarly to the formal tool extracting the state space of the design. The synthesis tool then generates a broad range of tests that exercise all of the paths in and out of the region over a period of time, checking the coverage to ensure an exhaustive test set. The tests are applied to the design itself and a full analysis of the device is performed. Of course, this description is over-simplistic, and the various pitfalls encountered when applying this methodology to a real situation will be described and discussed, together with methods used to overcome them.
Finally, a description of the results of this work will be shown and examples provided on how the approach can be applied to other security vulnerabilities.
Thank you to our Sponsor: