HOME  |  NEWS  |  BLOGS  |  MESSAGES  |  FEATURES  |  VIDEOS  |  WEBINARS  |  INDUSTRIES  |  FOCUS ON FUNDAMENTALS
  |  REGISTER  |  LOGIN  |  HELP
Comments
You must login to participate in this chat. Please login.

Hello Warren, I had a chance to review the material for day 2, and have some questions. You talk about techniques for securing devices and protecting code without referring to implementation methods. I write code in assembly and C, then flash the device (NVM flash), then engage the security bit so the code cannot be seen by JTAG, etc. However, there is no encryption during program load! How do you employ encryption during "flashing" and in the bit-stream (reading and writing to the device's NVM)? Thank you.

Iron

Thank you Warren and D-K CEC

Low cost and performance

Protection may have some issues with driver development if device's ID is hard to see/detect 

Yes, Network, remote update via secured protocol

Thank you Warren and Jennifer.  See you tomorrow.

Iron

Warren's question was: What is typically most important in your design - low-cost, low power, performance, form factor, or something else? -- It depends on the application.  Form Factor is one of the most common drivers, though.

Iron

Warren's question was: What techniques, if any, had you heard of, previous to this course, for preventing copying? -- Encryption of data at rest, "secure" flash types

Iron

Good information on protecting design IP. Thanks Warren.
Looking forward to tomorrow's class on cryptographic techniques.
Thank You Jennifer, Design News and Digi-Key.

Iron

Warren's question was: Do your designs typically have network connectivity? Is a remote update feature supported? -- Most do.  Remote (not automated) update was part of the design in some cases.

Iron

Most import aspects of our designs: accurate, reliable, affordable

Iron

Device-level "lock-out" to prevent reading or writing the device.

Iron

Designs have not included networked update capability, but possibly in the future.

Iron

yes designs have included network connectivity.

Iron

Warren's question was: Do your designs typically include an MCU or FPGA? Which devices have you used previously?  --I typically do µC designs.

Iron

Designs most recently have used ARM-based designs, some ColdFire, MPC823, 8051, etc.

Iron

Hi again from Beaverton, Oregon. Done with my meeting, catching up on today's class.

Iron

@All- Any other questions?

Iron

@RL78- here is another one:

http://www.microapl.co.uk/asm2c/ 

Iron

Not sure if more recent devices are supported, but a group known as 2500AD had a disassembler for severel older MCUs, including the Z180 / 64180 (Zilog / Hitachi, now Renesas).

Iron

@78RPM- Here is the source for a variety of converters that came up quickly via a google search:

http://www.mpsinc.com/index.html 

Iron

Yes, it would be interesting to know which vendors provide those programs. Like the old cable descramblers, to be used for "laboratory use only".

Iron

Thanks, Of course we will only use our powers for good, not for evil.

Platinum

@78RPM- I can do some digging and post some info here later today. Many debuggers have very similar features to those needed and can be used in that way. let me see what I can dig up...

Iron

@78RPM- Walk-net, as an attack vector- yep, makes sense..

Iron

I am not happy to hear that...

Iron

? Are there any sources of reverse engineering software you can mention?

Platinum

@CPU- The state of the tools today are very good for reverse engineering. Binary to Assembly to C is doable and can be very useful in figuring out algorithmic level stuff... 

Iron

However, I am also a proponent of delay-based PUFs (although not RO-PUFs or ARB-PUFs), as you can leverage the entropy in existing hardware, which I believe is more impervious to model-building attacks.  

Iron

@Jarr- SRAM-PUF PhD thesis- Very nice! 

Iron

?A follow-up question. I've heard it said that obtaining source code by reverse engineering the binary code is like trying to get a cow from hamburger.  But what is ths state of the art in reverse engineering? Are the hackers reverse engineering to get some low-level intermediate code (like assembly code) that requires lots of labor to exploit?

Iron

Wired magazine recently had an article on Stuxnet. The hard part was getting across the "air gap" between the inner network of centrifuges and the world-wide internet.  That was a walk-net accomplishished by a vendor who was a spy of some sovereign government.

Platinum

@78RPM- posting a bond is a good idea. As long as you can be sure the bond is real...

Iron

My Ph.D. research was in PUF design, so I am quite aware of the SRAM PUF.  I agree that they are very cool.  :)

Iron

@78RPM- Yep, security processes for the human side is perhaps the weakest link at most companies. The dual/triple level of authorization needed is a good concept...

Iron

@Jarr- I believe PUFs are the best practical method for implementing security, but that's just MY opinion... Maybe it's just that the concept and implementation (of SRAM PUF for example) is just very cool...

Iron

hmmm, 2b or not to b

 

Iron

?I am using PIC processors. I'm not aware of any encrypted bitstream support for the flashing of those chips. Perhaps there is, but I haven't encountered it.

Iron

?require a thumprint to program and store the thumprint, perhaps

 

Iron

@DKH- You can use a dongle to help secure programming. You need some additional hardware and software but it is possible.

Iron

? (Followup) Do you believe that PUFs represent a practical alternative to eFuses due to their inherent fragility in the face of tamper efforts?

Iron

@Jarr- There are some very good techniques to prevent invasive attacks- many of which are proprietary to the manufacturers....

Iron

? When I was consulting in the printing of business checks, I told customers to never let one person have all the control of a secure process. For example, if you need a signature, let it out under dual custody. Of course, today we say that signatures are useless because nobody reads them.

Platinum

@CPU- If you use an encrypted bitstream for programming your device this can prevent a CM or even an employee from making a copy. You need to protect the design files too however!

Iron

? How effective is metal-layer masking at preventing eFuses from being read out using xrays or backside thinning and laser techniques?

Iron

?could you supply a dongle to the CM for the purposes of programming?

 

Iron

@Jarr- I'm not sure of a case of PUF thwarting overbuilding (not sure how you would find out) but you could contact a supplier that uses PUFs (like Microsemi) and see what they say...

Iron

? The question from cpu is interesting. Can we ask contractors to post a bond to assure confidentiality?

Platinum

@Jarr- There are some worms (like DuQu for example) that can spread via USB sticks. Also, Stuxnet could perhaps be considered a Trojan horse...

Iron

? We work with contract manufs and have them flash our MCUs or other chips, usnig binary files. Once the chip is flashed the code is secure in the chip. But how do we prevent the CM (or unscrupulous employee) from taking our binary program and reusing it?

Iron

? Have you ever known of a case where overbuilding has been thwarted by IC metering efforts using a PUF or other VLSI design primitive?

Iron

Good courses to take - Counterfeit Detection & Prevention—Protecting Your Supply Chain and Counterfeit Detection: Protect Your Supply Chain with Equipment & Specialized Test Techniques

@Jaar- Several types of devices are using PUFs successfully. Microsemi has a couple of families of FPGAs that can use them effectively.

Iron

?Have you ever known of a case where a H/W Trojan has been found in a product? 

Iron

@jjrochow- hopefully you will find the next three lectures more detailed... Please let me know what you think after those classes.

 

Iron

?? How practical are physical unclonable functions (PUFs) in practice?

Iron

?multiple vendors with inhouse programming

Iron

? where is "live cchat?"

 

Iron

Today's lecture was not very informative. This seemed to be a rehash of yesterday's lecture. The only new thing seemed to be the info on slide #9 concerning Microsemi Flash FPGAs' security features. Warren, please present some detail..less high-level vague stuff..more technical detail.

@78RPM- Many companies remove the part numbers from the chips they use to make it more difficult to copy the design.

Iron

?? I meant to say Remove the markings

Platinum

Thanks good lecture look forward to tomorrow.

Iron

?? Warren, I have seen a number of online teardowns of popular devices. They identify specific chips used. Why don't big companies have the markings on the chips?

Platinum

@All- please use a leading "?" when you ahve a question for me. Makes it easy for me to see them.

Iron

Thanks Warren, Jennifer, and Digi-Key!!

Iron

Thanks Warren and Jennifer.

Iron

thanks it was very good

Iron

Reliability is often the top priority. Now, physical size and upgradeability are becoming very important.

Iron

Very informative! thx!

Iron

Great presentation, be here tomorrow

Iron

thank you both - Warren and Jennifer!

Iron

where is live chat?

 

Iron

Thanks Warren and Jennifer.

Iron

Warren, thank you for today's lecture

Thank you Jennifer, Design News and Digi-key

Iron

Thank you Warren, Design News, and Digi-Key

Platinum

application: one-time use upgrades (high $$$ value). Need to protect against reuse, cloning, failure, etc.

 

Iron

(correction - i searched on iTunes U, not general iTunes store)

 

searched on itunes for the stanford course but did not find.  can you post the course title tomorrow?

Be sure to follow @designnews and @DigiKeyCEC on Twitter for the latest class information. We encourage you to tweet about today's class using the hashtag #CEC

performance and power budget

Iron


low-cost and low power

Iron

Oops! Forgot to login.

Low Power, Reliability

Iron

perfomance, power budet, cost

Iron

(Remark: This chat tool should be changed to allow [enter] to post message)

Iron

performance and design on time

Iron

performance, reliability

 

Iron

Low cost usually controls everything

 

Iron

Performance & communication capabilities

Iron

perfoemance and low cost

Iron

?? How effective is software-based obfuscation techniques to improve AT protection against side-channel attacks (in actual practice)?

Iron

Cost, Power & Performance (In that order)!

Iron

Performance, reliability

Iron

reliability in high RF fields

Iron

Low cost and performance

Iron

low cost & performance

Iron

Low power is important

Platinum

Performance and reliability

Iron

Warren's question was: What is typically most important in your design - low-cost, low power, performance, form factor, or something else?

All depends on the value there is always a way to determine what is in your device no matter what security is employed  just time money and equipment.

 

Iron

Haha! Now you tell us!

 

Iron

To participants: Having taken some of Warren's classes before, he says that you can preface any question you want answered with a question mark or two (? or ??) so he can find them easily.

Platinum

How effective are metal layer obfuscation techniques for guarding against x-ray or laser eFuse reading attacks?

Iron

Hi from Huntsville, Alabama!

What are the real risks posed by backside thinning and laser circuit activation techniques for reading security key information?

Iron

Hello from Milwaukee!

Iron

Re: decapping - some Si vendors will deliberately scramble bus bit layouts to throw decappers off the trail

How real is the threat of fault sensitivity analysis attacks in practice?  Is it overblown?  What about differential power analysis attacks?

Iron

Have heard of programming fuses and security bits, but that's it

Iron

What is the level of concern about H/W Trojans or backdoors in MCU or FPGA devices?

Iron

not familiar with the security key concept

Iron

Need to address decapping... seems to be alot of reliance on 'security fuses"... de-capping is well documented, cheap; easy; and fast (4 hours).

 

Iron

Is OTP or eFuse technology going to be replaced by PUF techniques over time?

Iron

Read Protection fuses, no viable IPs in unencrypted from in SPI devices

Iron

Not at this time, though have thought of security key/lock, have used internal circuits on inner layers of pcb to make it harder to figure out.

Iron

No worries, @jjrochow - you can ask him about it during the live chat at the end of the lecture. Or, you can listen again. The class will be archived immediately following the live taping.

encryption, security keys, source code locked

Microsemi's SmartFusion2 SoC incorporates an SRAM-based PUF to provide unclonable unique IDs for each chip.  How well does this work in practice?  

Iron

Didn't we talk about slide 9 yesterday?

Don't know any 100% secure

Iron

No knowledge at present - that's why I'm here! :-)

Iron

internal security bit in micro that eliminates code read out.

Iron

Dallas Semi had a uP with scrambled prog code in external ROM

Iron

the comments by Warren about slide 8 were not very clear to me.

Physical unclonable functions (PUFs).

Iron

Warren's question was: What techniques, if any, had you heard of, previous to this course, for preventing copying?

Not at this time, plan to do so.

Iron

I've dealt with Counterfeit components comming in through our CM.  You also have to insure your contract manufacturer has good supply chain management in place.

Iron

Test equipment automation, Pump-off and injection controller, frozen beverage control systems, servo systems etc.  Radio , cell phone and various hardwire communication schemes.

Iron

Many networked, some have code upgrade capability

Iron

Only use outbound to initiate data transfer

 

Iron

I've implemented an SD card bootloader for Renesas R8C product.  Product only has RS232 communications todate.

Iron

networked MCU with remote update

Iron

Applications would just be accessed locally, but I want to prevent downloading the code.

Remote update is supported. Product has network connectivity by either WiFi or cellular, or possibly Bluetooth.

Iron

HVAC Control Systems, Security and Life Safety product, Aerospace Product.

Iron

I would use a micro-SD bootloader for update.

Platinum

Our products are fixed link RS232 connection only, no network access. Bootloaders used for upload to upgrade, bug fix.

Wireless support mostly, MCU

Iron

All my designs have or need Internet or local net

Iron

Warren's question was: Do your designs typically have network connectivity? Is a remote update feature supported?

Zynq-7000, FPGAs, MCUs.  I am a hardware security researcher - my Ph.D. research is in PUF design and experimentation.  PUFs represent a very powerful countermeasure to the IC metering problem and unscrupulous overbuilding.

Iron

Coldfire and Xilinx xs100.

Iron

MSP430, Renesas RL78

Iron

Use both - higher level security used to slow the "bad guys"

 

Iron

MCU - STM, Atmel. NXP, FPGAs - Xilinx, Lattice

Iron

Both MCU and FPGA. No IP protection. Open book for anyone wanting to copy it. Which apparently, so far, is no one.

MCU and have used FPGA in past, 8051 series and 6800 series and a couple of Pics

Iron

MCU, mostly PIC & Atmel 8 bit. Moving to ARM.

Iron

MCU - AVR2560, MSP430

Iron

Typically use mcu.  Used Renesas R8C,  MicroChip, TI MSP-430, many others.

Iron

MCU. Have used Microchip, TI, ST and NXP parts

Typically MCU only -- staring to include FPGA

 

Iron

Good night from Valladolid, Spain, Europe

Iron

All MCU - no FPGA so far

 

Iron

mostly atmel ARM7, moving up to the cortex.

Iron

Typically MCU. Cypress, PIC

Iron

High performance CPU + FPGA

Iron

No remote connectivity used so far

typically an MCU in the designs

Iron

Have used MCU and XBee. Want to use SOC

Platinum

MCU - MSP430, Stellaris

Iron

fyi - updated from IE10 to IE11 today

previous all OK with IE10

audio bar does not appear, all things fine with chrome 31

Iron

Warren's question was: Do your designs typically include an MCU or FPGA? Which devices have you used previously?

audio volume is good but sounds like there are some compression artifacts

@bitbanger55 - check your audio mixer settings. I actually had to turn the volume down.

Iron

Audio level is a little low.

We are on slide 2 - today's agenda

Good morning all from CA

Iron

Hello from Albuquerque.

Iron

 

hello from Mishawaka

Iron

Hi all -Audio is live! If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

@jjrochow good to see you back again. Are you in Cleveland area?

Hello from Valdez. 14 Deg today, but clear

Greetings from Buffalo, NY!

Iron

Hello from Hudsons Hope BC

Iron

Hello from Scottsdale, AZ

Iron

Good morning from Reno, NV.

Iron

Hello from Albuquerque.

Iron

Hello from Memphis...

 

Iron

Aloha from Montana

Platinum

Class starts in 45 minutes. Be sure to click 'Today's Slide Deck' under Special Educational Materials above right to download the PowerPoint for today's session.

Looking forward for another great lecture from Warren M.

Iron

Hello from Summerville, SC. How is everyone doing?

Iron

Glad you're looking forward to it, @bitbanger55!

*Participants have also told us that Chrome works well with our audio.

The streaming audio player will appear on this web page when the show starts at 2 PM Eastern time today. Note however that some companies block live audio streams. If when the show starts you don't hear any audio, try refreshing your browser. If that doesn't work, try using Firefox or Google Chrome as your browser. Some users experience audio interruptions with IE. If that doesn't work, the class will be archived immediately following our live taping.

@Jennifer -- Will do.  

Iron

Hi huntwork - thanks for the heads up. Be sure to listen to the session, which will be archived immediately following the live broadcast.

Please join our Digi-Key Continuing Education Center LinkedIn Group at http://linkd.in/yoNGeY

I got nuttin today. I guess I need more coffee.

Iron

Hi, Jennifer!  

I've got the slides.  Thank you.  I'm a little early for today, but I may have a conflict this afternoon.  I'll try to get caught up after my conflict.  

Iron

Be sure to click 'Today's Slide Deck' under Special Educational Materials above right to download the PowerPoint for today's session.

good morning, everyone. Looking forward to another great lecture today!

 

Morning from Portland Oregon.

Iron

Hello from New York.

Iron

Hi from Beaverton, Oregon. I have a schedule conflict for this class on Tuesday, so I'm getting the slides now and will follow-up after the class tomorrow.

Iron


Partner Zone
Latest Analysis
With Radio Shack on the ropes, let's take a memory trip through the highlights of Radio Shack products.
We Have FPGAs with On-chip MCUs, but How About MCUs with On-chip FPGAs?
Polish design firm NAS-DRA has proposed parasitic robotic drones that capture carbon dioxide from the air during the day and release it at night to plants growing on their wings.
Computer security firm Norton has partnered with clothing company Betaband on a pair of jeans that will keep your RFID-tagged credit cards and documents safe from wireless theft.
With erupting concern over police brutality, law enforcement agencies are turning to body-worn cameras to collect evidence and protect police and suspects. But how do they work? And are they even really effective?
More:Blogs|News
Design News Webinar Series
12/11/2014 8:00 a.m. California / 11:00 a.m. New York
12/10/2014 8:00 a.m. California / 11:00 a.m. New York
11/19/2014 11:00 a.m. California / 2:00 p.m. New York
11/6/2014 11:00 a.m. California / 2:00 p.m. New York
Quick Poll
The Continuing Education Center offers engineers an entirely new way to get the education they need to formulate next-generation solutions.
Dec 15 - 19, An Introduction to Web Application Security
SEMESTERS: 1  |  2  |  3  |  4  |  5  |  67


Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.
Learn More   |   Login   |   Archived Classes
Twitter Feed
Design News Twitter Feed
Like Us on Facebook

Sponsored Content

Technology Marketplace

Copyright © 2014 UBM Canon, A UBM company, All rights reserved. Privacy Policy | Terms of Service