Hardware Security

Until recently, hardware was largely considered safe, trustworthy, and secure. If the onslaught of Spectre and Meltdown-style attacks have taught us one thing, it’s that hardware is not secure and it is a lucrative and vulnerable attack surface. We have been working in the the hardware security space for over 15 years — performing fundamental research in FPGA security, using 3D integrated circuits for security monitoring, developing the theory and practice around information flow tracking for hardware security verification, creating architecture techniques to mitigate side channels, and building a property driven methodology to uncover hardware vulnerabilities. We detail each of the major efforts in the following.

Property Driven Hardware Security: The current state of the art for hardware design security relies heavily on functional verification, manual inspection, and code review to identify security vulnerabilities. This labor intensive process does not scale, it significantly reduces productivity, and worst of all provides no guarantee that a security flaw will be identified until it is exploited in the wild. Continuing on with the status quo will undoubtedly leave hardware designs susceptible to a variety of attacks manifested through hardware, firmware, and software vulnerabilities. We must make every effort to verify that the hardware is secure. This is currently a challenging task due to the fact that security properties cannot be modeled and verified using existing hardware design tools. We are developing a property driven approach to hardware security [C136], which enables automatic verification of security properties on a hardware design. This encompasses three major research goals: 1) developing expressive security property languages [J35, J40]) building comprehensive models that describe the security related behaviors of a hardware design [J39, J46, J51, C137, C138, C139, C141], and 3) creating tools that can verify the security properties on these models in an efficient manner [C144, C150].                  

Computational Blinking: The average person blinks 15-20 times per minute for a duration between 100-400 ms. Thus, we spend between 2.5-13.3% of our waking time with our eyes closed due to blinking. Furthermore, sections of our brain are actually momentarily “powered off” during each blink. Yet, we are rarely even aware of these near continuous interruptions. These spontaneous blinks occur at natural breakpoints when out attention is least needed, e.g., during a pause when listening to a speaker or at a scene change in a video. Computational blinking is inspired by this phenomenon. It is a set of techniques targeting the seamless disconnection and reconnection of components isolated for safety or security. While briefly disconnected, critical computations can be performed free from both measurement and modification of resources, timing, and power. Our computational blink methodology explores the possibilities of new circuit structures to co-store energy and memory presenting a novel architectural trade-off, new architectures built to complete operations under exceedingly tight time constraints, interconnect designs to manage the burstiness inherent in disconnected operation, scheduling techniques to manage the dynamic and well-formed trade-offs between performance and information leakage, and novel design and analysis tools [C146].                  

Hardware Information Flow Tracking (HW IFT): Information flow tracking is a classic computer security technique that monitors how data moves through a system. It has long be used to analyze the security properties related to non-interference, confidentiality, and integrity. We pioneered the use of IFT for hardware security verification. Our gate level information flow tracking (GLIFT) techniques provided a formal model for analyzing hardware designs for IFT-related security properties [J28, J31, C85].  This allows us to specify security properties and verify that a hardware design adheres to these properties. More recently our register transfer level IFT (RTLIFT) [C137] was the first HW IFT to separate out the timing side channel [C141], which allows us to verify that a design is not vulnerable to attacks using timing, e.g., Meltdown and Spectre. These research ideas were transitioned out of the university and are the core technology for Tortuga Logic. I am one of the co-founders of Tortuga Logic (http://www.tortugalogic.com/).  This company started with a grant from the NSF Innovation Corps (I-Corps). Subsequently, we received NSF SBIR Phase I, IB, II, and IIB awards and have raised million of dollars in venture funding. Tortuga currently has ~15 full time employees and contracts with several top semiconductor companies and government laboratories.

3DSec: Three-dimensional integrated circuits (3D ICs) are manufacturing technique that stacks silicon wafers to create larger, more complex, and higher performance computer chips. Our 3DSec project looked at how we could leverage 3D ICs to secure commercial off the shelf hardware. The project investigated a novel way to augment commodity hardware after fabrication to enhance secure operation for only those systems that require it. Our research showed that commodity integrated circuits, with minor modifications, could be enhanced with a separate silicon layer, stacked using 3-D integration. These new layers, which need not be included in commodity parts, can then be used for monitors, special purpose interconnect, and other methods of introspection [J33, C65, C88, C89, C95, BC4]. This work defined a low-cost way of integrating custom security components developed in a trusted foundry with a COTS electronics created in an untrusted, but bleeding edge foundry.

RCSec: Reconfigurable computing (RC) combines the high computational performance of application specific integrated circuits (ASICs) with the re-programmability of software. Reconfigurable architectures, and in particular FPGAs, have quickly become ubiquitous. Unfortunately their inherent hardware malleability can be twisted to disrupt critical operations, snoop on supposedly secure channels, or even to physically melt a device. The RCsec project established best practices for reconfigurable hardware design and synthesis tools. This includes methods of enforcing separation in the reconfigurable fabric, advanced memory protection without virtual memory, and dynamic policy management. The project pioneered the area of security for reconfigurable hardware, establishing fundamentally new models of computation, policy, architecture, and hardware synthesis [J19, J20, J21, J24, C49, C58, C94]. Xilinx and the NSA have since adopted guidelines very similar to our recommendations. The research in this project was summarized in the book “Handbook of FPGA Design Security” [B3].

Community Service: I have been heavily involved in organizing hardware security events at top conferences. The IEEE International Symposium on Hardware-Oriented Security and Trust (HOST) (http://www.hostsymposium.org/) is a top conference in hardware security. I was co-TPC chair in 2016, TPC chair in 2017, General Chair in 2018, and currently a member of its Steering Committee. I served on the 2018 and 2019 Special Focus Committee on Security and Privacy for the Design Automation Conference (https://dac.com/).