Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Slides

advertisement 
Addressing Supply Chain Security with
Split Manufacturing
Ted Huffmire
Summer UCI CECS Seminar
July 27, 2012
Disclaimer
• The views presented in this talk are those of
the speaker and do not necessarily reflect the
views of the United States Department of
Defense.
Outline
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
Motivation and Background
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
What is Hardware Security?
• Many of the issues of hardware security are similar to
traditional computer security
– Malware, authentication, program analysis, patches, insiders,
social engineering, developmental attacks, evaluation,
certification and accreditation, flawed implementations,
protocols, system-level issues, network security, usability,
economic incentives, complexity.
• Anything can be hacked, but the attacker has finite resources.
– Shades of grey rather than black-and-white (“broken” or not)
– Make attackers toil, and design systems that “win” decisively
– Each security technique has its advantages and disadvantages,
and we must understand each technique's limitations. Even
crypto has limitations. We need to know what specific attacks
each technique is capable of preventing.
What is Hardware Security?
• Opportunities of hardware
– High performance
• Custom processors for crypto, deep packet inspection,
etc.
– Direct control
– No intermediate OS layers
– Physical separation
• Challenges
– Semantic gap
– Engineering and fabrication costs
What is Hardware Security?
• Foundry Trust
– Malicious Hardware (a.k.a. “gate-ware”)
• Trojan Horse, Rootkit, Kill Switch
– Design Theft (Protecting Intellectual Property)
– Start with a secure design before addressing fabrication security
• Operational Attacks
– Power Analysis, Fault Injection, Heating, Optical
– Cold Boot, Probing, Math Errors
• Developmental Attacks
– Malicious Design Tools
– Malicious IP
• System Assurance
– Security Architecture, Key Management, PUFs
– Formal analysis of IP cores (not a panacea)
What is Hardware Security?
• Interfaces [Schaumont 2009]
– Secure hardware is part of a bigger system.
– Secure hardware interfaces are tricky:
• How do you distinguish red wires from black wires?
– Secure hardware interfaces do not exist yet!
– Current secure hardware serves software
• Composition [Schaumont 2009]
–
–
–
–
This is not trivial.
To resist side channels, you must avoid redundancy.
However, fault tolerance requires increasing redundancy.
How can you build fault-tolerant, side channel resistant systems?
• Metrics [Schaumont 2009]
– Security is dimensionless.
– Metrics are absolutely necessary to do meaningful research.
– Without metrics, it is impossible to analyze trade-offs.
• Education: Electrical Engineers are trained to make things happen
rather than to make bad things NOT happen [Schaumont 2009]
Trustworthy Tools and IP
• Stripped-down alternative design flow
Option 1
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
General-Purpose
CPU
Tradeoffs
FPGA
Application-Specific
ASIC
• Software vs. Hardware
– Generality vs. performance
– FPGAs are in between
• ASIC performance comes at a high NRE cost
– Fabrication
– Verification
• Security
– IP is vulnerable in overseas foundries
– Reduce problem of trusting foundry to problem of
trusting FPGA
Option 0?
• Running software on a CPU
– Software is loaded onto the CPU in a secure
facility after fabrication
• Coprocessor
– One chip is manufactured in a trusted foundry;
the other in an overseas foundry
– The two reside on the same circuit board
Reconfigurable Hardware
BRAM
BRAM
μP
SDRAM (off-chip)
BRAM
BRAM
BRAM
μP
BRAM
SRAM Block
BRAM
μP
BRAM
• FPGA Fabric
FPGA chip
μP
FPGA Fabric
Trusted Design in FPGAs
• Source: [Trimberger 2007]
Non-Secure Manufacturing
Generic FPGA Base Array
Secure Design Facility
Design
Add Secret
Bitstream
Non-Secure Environment
Figure 1. FPGA Component Flow
Option 2
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
2D Split Manufacturing
• Design in the US
• Fabricate through the first or second metal
layer at an insecure facility
• Finish the metal layers 2 through 12 in a
trusted facility
2D Split Manufacturing
• To achieve this, the IARPA TIC Program will use
a FEOL and BEOL set of processes
– FEOL = Front End of Line
– BEOL = Back End of Line
• The final ASIC is the result of the combined
FEOL and BEOL processes
2D Split Manufacturing
• Questions
– What is the interface?
2D Split Manufacturing
• Source
– http://www.iarpa.gov/solicitations_tic.html
– http://www.iarpa.gov/TIC_Presentations/TIC_Pro
posers_Day_20110727.pdf
Option 3
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
[Koyanagi05]
•
Merits of 3D LSI
Future: 3D LSI
Present: 2D LSI
System LSI
High Performance Low Power
New Functions
Low Cost
Functional Block
[Plan View] [Cross-Section]
Vertical Via Length:
(1 ~ 50 m)
Sync.
Clock
Partition of
Functional
Blocks
No increase in
total thickness
Big concerns: Long wiring
Global wiring
Replaced by Vertical Vias
[Koyanagi05]
• Timeline
Device/Process
1978
3-D IC Technology
3-D DRAM (Hitachi, Koyanagi) (1978)
Laser anneal
SOI (SIMOX) (NTT, Izumi) (1979)
Laser rerystallization
1980
Stacked CMOS (Stanford)
Laser anneal MOS
(Hitachi, Koyanagi) (1979)
3-D SRAM
Wafer bonding (NEC * Nakamura)
1990
SOI (Wafer bonding) (Hughes)
SOI (Smart Cut) (Latti)
2000
CMP (IBM)
Damascene Cu wiring (IBM)
3-D IC National Project (1981-1990) (Japan)
Laser anneal 3-D (Mitsubishi)
Wafer bonding 3-D (Transfer) (NEC)
Wafer bonding 3-D (Non-transfer) (Tohoku Univ.)
Wafer bonding 3-D (Buried interconnection) (Tohoku Univ.)
Wafer/Chip bonding 3-D (Tohoku Univ., Fraunhofer)
Wafer bonding 3-D (SOI) (Motorola, etc.)
ASET Project (1999~2003) (Japan)
Chip bonding 3-D
Wafer bonding 3-D (Cu bonding) (RPI etc.)
a-Si/Poly-Si 3-D (Stanford Univ., Matrix Semi.)
Wafer bonding 3-D (SOI) (IBM)
Alternative 3-D Approaches
• PoP [Lim10]
Wire Bonding (SiP) [Amkor09]
Alternative 3-D Approaches
• PoP [Lim10]
Alternative 3-D Approaches
• [Amkor10]
Examples of 3-D Systems
• Network-on-Chip [Kim07]
A 3D Crossbar
Connection
Box
R
HOP
HOP
5x5
Crossbar
East In
West In
North In
South In
Only 4 vertical links
shown here for clarity
PE Out
South Out
North Out
(1 Hop across
ALL Layers)
Vertical links
coming out of
paper (up to 25,
for a 5x5
crossbar)
West Out
Segmented Links
East Out
PE In
Examples of 3-D Systems
• Network-on-Chip [Kim07]
Up to
Layer X+1
Layer X
Connection
Box
Pass
Transistors
Down to
Layer X-1
Examples of 3-D Systems
• Particle Physics [Demarteau09]
Examples of 3-D Systems
• Chip Scale Camera Module [Yoshikawa09]
Examples of 3-D Systems
• 3D-PIC 3-D CMOS Imager [Chang10]
Examples of 3-D Systems
• 3-D Stacked Retinal Chip [Kaiho09]
Examples of 3-D Systems
• 3-D Stacked Retinal Chip [Koyanagi05]
Medical Image Processing
• [Cong 2011]
Examples of 3-D Systems
• 3-D FPGAs [Razavi09]
Y
(a)
Y
(b)
X
(c)
0
1
2
3
0
0
1
1
2
2
3
3
0
1
3D SB
2
3
2D SB
Z
Examples of 3-D Systems
• 3D-MAPS: Many-core 3-D Processor with
Stacked Memory [Lim10]
Tezzaron 2-tier 3D IC & Amkor Package
heat sink
TSV
signal & P/G F2F vias
package
wire bond
core
memory
molding
thermal interface material
Some Data on 3D
•
•
•
•
•
•
[Kim 2012] 64 CPU cores joined with 256K of SRAM: 63.8GB/s memory bandwidth
[Yoshikawa 2009] CMOS image sensor: 55% reduction in volume and 36%
reduction in footprint
[Loh 2007] 3D floor plan for Pentium 4: 15% improvement in performance and
power; 10.3% improvement in clock frequency for Alpha 21364; 3D version of
dynamic non-uniform cache architecture reduces L2 access time by 50%; 3D
stacking can allow the cache size to increase, reducing average memory access
latency by 13% and reducing off-chip bandwidth by 3x
[Black 2006] 3D stacked DRAM cache can reduce cycles per memory access by 13%
on average and by as much as 55% while reducing off-chip bandwidth and power
by 55%
[Loh 2008] Optimizations to 3D DRAM that result in 1.75x speedup over prior 3DDRAM approaches; L2 miss handling architecture that achieves an extra 17.8%
performance improvement
[Puttaswamy 2005] 3D-partitioned cache can reduce latency by 21.5%, reduce
energy consumption by 30.9%, and increase IPC by 12%.
What is 3Dsec?
• Economics of High Assurance
– High NRE Cost, Low Volume
– Gap between DoD and Commercial
• Disentangle security from the COTS
– Use a separate chip for security
– Use 3-D Integration to combine:
• 3-D Control Plane
• Computation Plane
– Need to add posts to the COTS chip design
• Dual use of computation plane
3DSec:
Trustworthy System Security through
3-D Integrated Hardware
Cross Section
Idea: Augment commodity hardware after
fabrication with a separate layer of security
circuitry
Silicon Layer 2
Silicon Layer 1
Post
Security
Layer
Problem: Integrating specialized security
mechanisms is too costly for hardware
vendors
Processor
Layer
Goal: Build trustworthy systems using
commercial hardware components
Anticipated Benefits:
Configurable, protected, low-cost hardware
security controls that can override activity in
the commodity hardware
Privacy Applications:
Detect and intercept the execution of
malicious code
Prevent the microprocessor internals from
being exploited to leak crypto keys
Tag and Track private information as it flows
through a processor
Pro’s and Con’s
• Why not use a co-processor? On-chip?
• Pro’s
– High bandwidth and low latency
– Controlled lineage
– Direct access to internal structures
• Con’s
– Thermal and cooling
– Design and testing
– Manufacturing yield
Cost
• Cost of fabricating systems with 3-D
– Fabricating and testing the security layer
– Bonding it to the host layer
– Fabricating the vias
– Testing the joined unit
Circuit-Level Modifications
•
•
•
•
•
Passive vs. Active Monitoring
Tapping
Re-routing
Overriding
Disabling
3-D Application Classes
•
•
•
•
Enhancement of native functions
Secure alternate service
Isolation and protection
Passive monitoring
– Information flow tracking
– Runtime correctness checks
– Runtime security auditing
Self-Protection and Dependency
Layering
• Can a 3-D control plane provide useful
secure services when it is conjoined with an
untrustworthy computation plane?
• Yes, provided:
– Self-protection
– Dependency Layering
• Applies to overseas foundry
– Option 1: FPGA fabric
– Option 2: FEOL layer(s)
– Option 3: computation plane
Conclusions and Future Work
•
•
•
•
•
Motivation and Background
Option 1: Reconfigurable Hardware
Option 2: 2D Split Manufacturing
Option 3: 3D Split Manufacturing
Conclusions and Future Work
Conclusions
• Option 1
– Design never goes to foundry
– Simple and inexpensive
– Bit-stream decryption mechanism is vulnerable to
side channel attack on fielded device.
– Caution: Attacker can cause serious harm by
modifying the FPGA fabric even without
knowledge of the final design to be loaded onto
the FPGA
Conclusions
• Option 2
– Only BEOL knows connections between devices
made in FEOL stage
– What is the interface between FEOL, BEOL?
– Cost? Complexity? Feasibility?
– Caution: Attacker can cause serious harm by
modifying FEOL layer(s) even without knowledge
of BEOL layers.
Conclusions
• Option 3
– Computation plane manufactured in untrusted
foundry, control plane manufactured in trusted
foundry
– Caution: attacker can cause harm by modifying
computation plane even without knowledge of
control plane.
Conclusions
• Option 3
– 3D probing for testing purposes is harder for 3D
than for 2D
– It is not trivial to chemically remove package of
3DIC, break bond between tiers, and tap the TSVs
– Tiers are tightly bonded and have no exposed
shared buses or I/O pins
– Future work: secure protocols between tiers
Conclusions
• Option 2 vs. Option 3
– Both are challenging. What is the interface?
– Option 2: Can we depend on untrusted FEOL devices?
Can we protect ourselves from them? Can same FEOL
wafer design be used for many different BEOL
designs? Can we tap, override, disable, reroute, etc.?
Can we decouple security and non-security
functionality?
– Option 3: Can we use untrusted computation plane?
Can we protect ourselves from them? Can same
computation plane be used with many different
control planes (or alone)?
Split Manufacturing
• Discussion Points
–
–
–
–
–
–
–
Can we trust the result of split manufacturing?
Could this approach harm security?
What are the challenges of 2D?
What are the challenges of 3D?
Is it worth it? When is it worth it?
Why not use trusted foundry always?
Are trusted foundries a band aid solution to offshoring
trend?
– Can we do everything from scratch?
Questions?
• faculty.nps.edu/tdhuffmi
Additional Slides
• Additional slides
Split Manufacturing
• 2-D
• 3-D
Silicon Layer 2
Silicon Layer 1
Post
Cross Section
Face-to-Back Bonding
• Rerouting bus signals
Buffer
Silicon Substrate
TSV
Bus is Diabled by
Sleep Transistors
Contact Points
bus
Metal
Layers
CMOS
Logic
Reference Monitor Logic
TSV
TSV
Computation
Plane
Metal
Layers
TSV
Control
Plane
Posts Carry Rerouted Signal
vias
Buffer
CMOS
Logic
Related documents
Using Beam Sections in ANSYS
Using Beam Sections in ANSYS
Density, Gravity and Motionless Balanced Floating
Density, Gravity and Motionless Balanced Floating
Case Study – Reverse Engineering
Case Study – Reverse Engineering
Dense Maps of Estuarine Flow Vectors Measured from the Air
Dense Maps of Estuarine Flow Vectors Measured from the Air
Molecular Modeling Lab Activity
Molecular Modeling Lab Activity
Day 2 Lesson Plan
Day 2 Lesson Plan
151FinalReview_S10
151FinalReview_S10
3-D Test
3-D Test
KENNETH J. DUNKLEY - Plain Local Schools
KENNETH J. DUNKLEY - Plain Local Schools
UNIT: ELEMENTS OF IDENTITY | PROJECT 2: GO BOX YOURSELF
UNIT: ELEMENTS OF IDENTITY | PROJECT 2: GO BOX YOURSELF
Download
advertisement