The technology industry was blindsided by the Meltdown and Spectre security vulnerabilities, which affected many of the most complex computer chips in the world. One of the cybersecurity researchers that identified the design flaws works at the security division of chip designer Rambus, which is now trying to help protect against future hardware vulnerabilities.
Rambus recently released a processor core called the CryptoManager Root of Trust that can be embedded inside chips and isolate sensitive code. Rambus says critical security functions can be handled inside the block instead of inside the main processor. Chip suppliers have focused on performance in recent years while ignoring the effect of increasing complexity on security.
“Doing complex things to improve performance can open vulnerabilities,” said Ben Levine, senior director of product management for Rambus, which targets side-channel attacks in which hackers probe processor designs to help them pry into software. “Rather than trying to secure an inherently insecure processor, we are moving security into an isolated place.”
Rambus said that the new CryptoManager core could act as the hardware root of trust, verifying that the chip equipped with the technology is only running approved software and that malicious code has not been added. It handles security functions like secure boot of the operating system, and since these functions take place in hardware, they cannot be changed.
In 2003, the Trusted Computing Group started to define hardware root of trust standards. The organization suggested using a secure microcontroller physically separated from the main processor on a circuit board as the hardware root of trust, which would tell the operating system that the hardware could be trusted. That technique is still widely used in connected devices where tighter security is required.
But over the years, the root of trust and other security functions were combined inside the main processor by companies like Intel and ARM, cutting power and costs. The Sunnyvale, California-based Rambus is trying to incorporate elements from both architectures, taking security functions out of the main processor but keeping them in an embedded core on the same chip.
The Rambus core supports multiple roots of trust, with an extremely secure nucleus building out to less secure sections only accessible with special permissions verified in hardware. Manufacturers using chips that contain the core can update cryptographic keys over the lifetime of a connected device, while the chip suppliers can insert keys at deeper levels.
Rambus designed the core to improve security in connected cars, factory sensors and other Internet of Things devices. “The semiconductor industry faced some of its biggest security issues this year with recent vulnerabilities, and the potential to encounter additional security flaws will not go away any time soon as more IoT devices enter the market,” said Abhi Dugar of International Data Corporation.
“To address existing and new threats, establishing trust at the hardware level will be critical, and a secure siloed core can help ensure that this new generation of devices can be protected from security flaws,” said Dugar, the technology research firm’s director of IoT security, in a statement.
The CryptoManager core contains dedicated memory for storing secrets and a fully programmable computer processor based on the RISC-V architecture to accelerate cryptographic algorithms. The core supports security functions like remote authentication and attestation, secure boot and other defense mechanisms that protect against emulation and reverse-engineering.
Rambus said that it would make software tools available to help customers program its silicon. Using the isolated core allows chip designers to optimize the main processor for either high performance or low power without sweating security, Levine said in an interview. The core has power consumption and die space tradeoffs, but Levine said that they would be minor.
Rambus hopes to mitigate against the risk of hardware vulnerabilities. Both Meltdown and Spectre stem from speculative execution, a technique widely used to accelerate computer chips, allowing them to guess and start operations in advance. Researchers took advantage of it to access passwords and other secrets that would normally be sealed off in memory caches.
In March, almost three months after the vulnerabilities were announced, Intel said that it had released patches for every processor it was going to patch, which could still suffer lower performance as a result. The company, which has significantly increased its hardware bug bounties, also said it would erect partitions in future generations of chips to suppress malware or hackers trying to pilfer secrets through holes in the processor design.
The vulnerabilities could contain a silver lining, raising awareness in the semiconductor industry about the pitfalls of weak security. “Anything that sheds light on the difficulty of making systems and devices secure, and wakes up the industry out of a sense of complacency about security is good for the industry as a whole,” Levine told Electronic Design.
There are signs of change afoot. On Friday, John Neuffer, president of the Semiconductor Industry Association, called for new standards in reporting hardware vulnerabilities like Meltdown and Spectre, taking into account the complex challenge of patching chips, which involves making alterations to microcode, or the unique operating code of chips. Chip suppliers need more than the three-month standard in the software industry, he said.