The Early Bird Gets More Secure Hardware
By Rob van Blommestein, Head of Marketing at OneSpin: A Siemens Business
I’m sure you’ve heard the expression “The early bird gets the worm.” This proverb emphasizes the importance of starting something early to maximize the potential outcome. In terms of hardware security, this idiom is spot on. Cybersecurity shouldn’t only be about protecting the software from attacks. Hardware is just as important.
Cyberattacks continue to advance significantly, progressing past the software layers and seeking to compromise hardware down to the integrated circuit (IC). Compared to software, ICs are much more difficult to patch once fielded —therefore, early identification of potential vulnerabilities is increasingly important.
To aid in the hardware security effort, the Accellera IP Security Assurance Working Group has recently released a draft of the security annotation for electronic design integration or SA-EDI. What does SA-EDI do exactly? Well, the standard helps to address the security concerns of hardware and software IP in a manner that is low-overhead, non-disruptive, and scalable across multiple target implementations. It specifies and approach to provide information about the security properties of IP. This information is relevant to the integrator and provides recommended solutions to address risks. The standard leverages existing standards that pertain to IP specification, design, verification, and integration where security risk is a concern, as well as known security concerns that have been identified by either industry experience or security researchers. The standard aims to offer IP providers a standardized means to disclose relevant security properties for the integrator to consider for integration. It also assists IP integrators in understanding and reducing security risk.
Now that this standard is out, the bigger question is how do we put it into practice? How can we leverage this standard to find security weaknesses early and continue to manage the security assets and verify them throughout the IP lifecycle?
OneSpin, A Siemens Business, and Methodics IPLM by Perforce explore this topic using small module of intellectual property (IP) intended for integration into an IC. Using key technology for IP management from Methodics and OneSpin advance formal verification solutions have demonstrated the process recently released in the SA-EDI standard.
The process includes use perspectives from the IP Provider to identify assets and known security concerns for the IP, in addition to showing how the IP Integrator may use the asset information in further security verification.
OneSpin automates security information exchange using identified assets and known security weaknesses while Methodics enumerates attacks and refines objectives providing a link between IP providers and integrators to add properties and objectives where different attributes that can be managed throughout the life of the IP. OneSpin then performs verification and analysis of the security objectives using automated property verification and then assesses how those properties and assertions can be used throughout the rest of the verification process.
This jointly presented demo on SA-EDI implementation can be viewed on demand as part of Siemens Verification Academy.