Embedded Security: Concepts of designing secure hardware
Embedded security aims to reduce the vulnerabilities and protect against threats on embedded devices. It involves a diligent approach to mechanical design, hardware design, and software development, as well as added security software, following best practices and consultation with experts.
- Mechanical design – Physical device enclosure/casing
- Hardware design – PCB, circuit schematics and layout
- Firmware design – Secure software development
Physical Security and Tamper Mechanisms
Establishing low-level security down to the hardware level in conjunction with software provides more protection than a software-only solution. The main objective of physical security device characteristics is to defend against attacks based on penetration. Such characteristics can be subdivided into four classes, and are most effectively implemented in layers:
- Tamper Resistance – Hardened steel enclosures, locks, tight airflow channels, security bits/one-way screws, encapsulation, etc.
- Tamper Evidence – Physical tamper attempts or changes can be visually observed
- Tamper Detection – Enables the device to be aware of tampering
- Tamper Response – Countermeasures taken upon the detection of tampering (works hand-in-hand with tamper detection mechanisms)
Various physical security characteristics and mechanisms should implemented in order to provide sufficient level of security against unauthorized disclosure or modification of sensitive information in the device and/or altering its inherent functionality. The security mechanisms should be physically structured in different protection layers. The protection mechanisms of various levels have to be defeated in order to get access to secure information or to be able to insert a bug.
- Detect the opening of a device, breach of security boundary, or movement of a component – Use security switches: e.g. micro-switches, magnetic switches, mercury switches, pressure contacts
- Detect an environmental change, glitch attacks against signal lines, or probing via X-ray/ion beam – Use sensors for temperature, radiation, voltage, etc.
- Detect a break, or short-circuit of a security signal: Use special material wrapped around critical circuitry to or create a security perimeter scanned by security signals (mesh) – flexible circuitry, nichrome wire, fiber optics, specialized electronic security enclosures, etc.
- Erase critical portions of memory (“zeroize”) or remove power, shut down or disable device
- Logging mechanisms can provide audit information for help with forensic analysis after an attack
Embedded Security Considerations
Physical Access to Components
- Easy access to components helps attackers reverse engineer the product. Make sensitive components difficult to access e.g. MCU, ROM, RAM, programmable logic
- Specialized websites allow anyone to easily find data sheets of components. Remove identifiers and markings from ICs (a.k.a. “de-marking”)
- For critical components use advanced technologies and packaging types, which are difficult to probe using standard tools: e.g. SMD, BGA, Chip-on-Board (COB), etc.
- Epoxy encapsulation of critical areas, can be removed with chemical solvents and adds little to prevent probing and removal
- Consider using specially designed for the product plastic components, which are not freely available on the market
PCB Design and Routing
- Remove unnecessary test points
- Obfuscate trace paths to prevent easy reverse engineering
- Hide critical traces in inner pcb layers
- Use deaf and blind vias whenever possible
- Connects between two or more inner layers but no outer layer
- Cannot be seen from either side of the board
- Keep traces as short as possible
- Properly designed power and ground planes reduce EMI and noise issues
- Keep noisy power supply lines from sensitive digital and analog lines
- Differential lines should be aligned parallel even if located on separate layers
- Electromagnetic emissions could be monitored and used by attackers to determine secret information
- Implement Side-Channel-Attack(SCA) and Differential Power Analysis(DPA) countermeasures
- Consider a specialized security microprocessor – Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
TPM is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices. It facilities the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. Software can use a TPM to authenticate hardware devices.