Overview

As hardware and software both grow in complexity and continue to converge, ensuring system security is becoming an increasingly important and difficult problem. This issue is especially rampant in the mobile semiconductor space, as modern mobile System-on-Chip (SoC) designs incorporate hundreds of different subcomponents, introducing complexity and internal chip interactions that did not previously exist.

State-of-the-art security verification is either done manually by reviewing design and verification documentation, or using existing verification platforms which focus on only functionality not security. The first approach is inadequate because 1) it takes a tremendous amount of time and effort and 2) does not actually review the real design but rather the documentation created by the design and verification teams. This leads to a disconnect between what was documented and what was actually produced. Security teams spend months reviewing boot flow diagrams, verification plans, and architectural documentation and seldom perform an analysis on the real register-transfer level (RTL) design files, netlists, bootcode, and firmware executing on their systems. This opens the door for potential design flaws, internal malicious actors, and undocumented functionality which lead to security vulnerabilities.

There have been an increasing number of attacks effectively demonstrated that exploit hardware vulnerabilities exposed by software in the form of firmware or bootcode.  Examples include Qualcomm’s disk encryption hack [1], Intel’s ASLR architecture flaw [2], Broadcom’s WiFi chip vulnerability [3], and hundreds of other undisclosed vulnerabilities.

Tortuga Logic's products enable hardware design teams to identify security vulnerabilities in mobile chips that are undetectable using current methods of hardware security verification. This reduces the amount of time to market, reduces the likelihood of a chip re-spin, and reduces the chances of a costly chip recall. Here are examples of important security requirements a final system needs that are difficult to test with current techniques.

Use Cases

Trusted Execution Environment (TEE):

The TEE is a secure area of a microprocessor that ensures logical separation in the software space [4]. This is an essential feature of modern chips, but its existence is not sufficient if the hardware logical portion is vulnerable to malicious accesses.  Mobile chip manufacturers do create logical isolation in hardware through access control in networks-on-chip, or interconnect as well as logical separation of sub-system or single channel between specific critical assets. For Premium Content Protection (or Digital Rights Management), premium content might be placed in a separate memory device that can be only accessed by the main SoC. This would ensure confidentiality from anyone trying to pirate the premium content through a different channel (USB, JTAG).

More and more, mobile devices are capable of financial transactions at point of sales, for example using Near Field Communication (NFC) transmissions. Private financial data needs to remain encrypted and siloed between the application and the NFC peripheral. There should not exist a logical path in the hardware to extract such information. Authentication sensors (fingerprint, face recognition) are essential to providing content privacy. It is essential to verify confidentiality to forbid extracting the raw data from its secure hardware enclave and to verify integrity that could allow spoofing a user identity by forcing the content into the sensor.

Secure Boot:

Secure Boot in mobile devices is a feature that slices the boot sequence into multiple stages, where each stage executes a specific executable code image that is authenticated in the previous stage by verified software to ensure integrity [5]. The initial image is the primary bootloader and relies on HW resources to authenticate. Such resources are critical assets that highly protected by restricted access control. Ensuring that such access control is correctly implemented in hardware/software interaction is essential to protect from attacks that would readily abuse credentials that should not be exposed (such as hardware decryption keys or hardware derived keys).

Incorrectly implementing these features and failing to test their correctness can have disastrous results.

 

To Learn More, Download Our Whitepaper Here.

 

[1] The Hacker News. How to crack Android Full Disk Encryption on Qualcomm Devices. http://thehackernews.com/2016/07/hacking-android-encryption.html, July 2016.

[2] ARS Technica. Flaw in Intel chips could make malware attacks more potent. http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/, October 2016.

[3] Wired, How a Bug in an Obscure Chip Exposed a Billion Smartphones to Hackers, https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/, July 2017

[4] Wikipedia. Trusted Execution Environment. https://en.wikipedia.org/wiki/ Trusted_execution_environment, October 2017

[5] Qualcomm. Secure boot and image authentication in mobile tech. https://www.qualcomm.com/news/onq/2017/01/17/secure-boot-and-image-authentication-mobile-tech, January 2017