原创 Guarding SoCs with Bare Metal Security

Traditional solutions include JTAG, IP vendor offerings, and in-house tools and technologies. JTAG has the advantage of being universal, but it is a decades old technology that runs at an extremely low-level. Furthermore, on-chip JTAG is pretty dumb -- all of the intelligence resides in external tools running on workstations, which means it's of use in the lab, but less so after the SoC has been deployed to the field.

IP Vendors (e.g., ARM and Imagination) have some very powerful solutions that are great in their own domain, but typically cannot span the functionality of the entire SoC. Meanwhile, mega-companies (e.g., Apple and Qualcomm) have typically made use of internally-developed tools, but the complexity of the devices they are designing is increasing at such a rate that these companies are increasingly licensing more-sophisticated offerings from external vendors while freeing up their own engineers to focus on differentiating and adding value to their products.

All of which brings us to the folks at UltraSoC, whose vendor-neutral modules operate non-intrusively across the whole SoC, reporting rich information in real-time from both hardware and software. As a rough ballpark, the folks at UltraSoc tell me that -- based on their existing customer experiences -- on an 18-month development project, using UltraSoC's solutions for debug and verification can accelerate time-to-revenue by two months (this also means saving two months of development costs).

Following deployment to the field, an UltraSoC-equipped SoC can unobtrusively monitor its own operation, thereby allowing you to refine your products on the basis of data acquired in actual, real-life usage. You can gather trend data to pre-empt in-field malfunctions; and you can access key status information in the event of a failure incident to facilitate the forensics required for root cause analysis (RCA).

Now, UltraSoC has extended its monitoring and analytics capabilities with Bare Metal Security that provides the security functionality demanded by products ranging from Internet of Things (IoT) devices to embedded systems to enterprise systems.

Conventional security tends to live at the operating system (OS) level. By comparison, Bare Metal Security features are implemented as hardware running below the OS; these features are nonintrusive and remain robust and vigilant, even if the system’s conventional security measures are compromised.

(Source: UltraSoC)

As the folks at UltraSoC say:

Bare Metal Security functionality uses the UltraSoC monitors to watch for unexpected behaviors such as suspicious memory accesses or processor activity, at hardware speed and non-intrusively, with minimal silicon overhead. Because it is an orthogonal on-chip hardware infrastructure independent of the main system functionality and software, there is no negative impact on system performance and it is very difficult for an attacker to subvert or tamper with. […]

By offering resource-efficient and highly effective protection against malicious attack and malfunction, the UltraSoC on-chip analytics and monitoring system provides both development support and functionality enhancement from the same on-chip blocks. Teams which are already using UltraSoC to accelerate the debug, silicon validation and bring-up process can therefore utilize the same infrastructure for security processing; while designers who need Bare Metal Security features get the development benefits of a vendor independent on-chip debug infrastructure at zero additional cost.

I, for one, am becoming increasingly concerned about security (or the lack thereof) in our electronic systems. Having the ability to embed powerful, intelligent, orthogonal security directly into the hardware seems to me to be a very good way to go, and I will be watching the progress of UltraSoC's Bare Metal Security products with great interest.