One of the keynote presentations at DesignCon this year talked briefly about DARPA’s Automatic Implementation of Secure Silicon (AISS) program. This remarkable program will ultimately automate the process of adding various levels of security to today’s complex system-of-chip (SoC) designs. It will achieve this goal by allowing chip designers to explore the possible economics versus security trade-offs based on the expected application and intent of the chip.
Recently, DARPA issued a press release detailing the role that Synopsys and Northrop Grumman - the two primary contractors - are expected to play, as well as the unique technologies researchers from Arm and IBM will be bringing to the program.
To understand more about this undertaking, Design News interviewed Serge Leef, Program Manager for the Microsystems Technology Office (MTO) at DARPA. What follows is a portion of that interview.
Design News: Why were these particular EDA and semi companies selected, e.g., why not Cadence, Mentor Graphics/Siemens, etc.?
Serge Leef: In general, the U.S. government issues requests for proposals and then multiple teams respond with proposals. We are not in the business of putting the teams together. We do try to introduce parties that should be aware of each other and should work together. But we're not allowed to take an active part in forming the teams. Eventually, the team led by Synopsis came up with a proposal that was really much more compelling than the other proposals that we reviewed.
Design News: Why was Boeing selected as part of the winning team? Will the first AISS program implementation be in the aerospace industry – presumably the Department of Defense (DOD) side?
Serge Leef: Once we select a prime - in this case, Synopsys – then other team members also become selected. Boeing was part of the team because Synopsys needed a test design from the defense industry on which to demonstrate how the developed assets will be operationalized. Boeing is a good example of a company that has designed a lot of chips and platforms for DoD and that’s why they were chosen initially for the team.
The AISS program is application neutral so it’s not targeted at the aerospace industry. Naturally, we do have customers in the DOD aerospace segment, but it is intended to make everybody's chips more secure. Given that Synopsis is driving one of the teams, it is natural to expect capabilities, developed under them would find their way into commercial offerings sooner rather than later.
Design News: The EDA tool and semiconductor communities have tried before to bring security to chip design, e.g., soft and hard tags, DNA footprints for chips, etc. How will this current approach be different?
Serge Leef: Yes, many past efforts have tried to bring security to chips. This current approach is different because it is much broader than before. The technologies and methods that you mentioned are passive defenses for the supply chain and have to do with protecting your designs in terms of cloning, counterfeiting, over production, recycling, remarketing and the like. In other words, activities that lead to non-genuine parts ending up in the supply chain. But protecting the authentication of chips in the supply chain represents only one of four possible attack scenarios or services described in the Attach Surface Reference Model. An attack surface is everything outside the firewall. The model consists of four surfaces or ways that silicon-based chips and systems can be attacked: side channel, reverse engineering, malicious hardware and the supply chain. What we are trying to do is make sure that chip designs can be protected on all four surfaces with defenses relative to the likelihood of a particular attack.
Design News: How do you tie the multiple attack surface design approach to the likelihood of a particular attack?
Serge Leef: For example, if you’re building a lawn sprinkler system, you probably don't need to worry about someone reverse engineering you're watering algorithm. However, you may worry about somebody cloning your chip and then flooding the market with millions of units from which you’d derive no sales benefit. The size of the counter measures for the supply chain in this case shouldn’t be particularly large or expensive. Whereas if you're worrying about nation state attackers, then you probably want a much more elaborate set of defenses on the supply chain side. For example, you may want much longer security keys and will probably incur more costs associated with implementing a broader security system on the chip.