SoC security is all about layers of trust. UltraSoC CSO Aileen Smith takes some lessons from real life, and argues for the use of hardware-based security to create more sophisticated trust models.
The phrase ‘Trust, but verify’ came to prominence during the Reagan administration, but is entirely relevant today in the era of “fake news”.
As the parent of a toddler I entrust the care of my child to another adult while I am at work. However, before doing that, I need to verify some information about this person. Are they really who they say they are? There are some rudimentary “fact checking” ways to verify and build a first level of trust – DBS checks with the police, reference checks with previous employers, qualification checks for items like first aid certification etc.
Over a period of time however, I have built a more complex and comprehensive mental trust model based on observing and verifying ongoing behavior. Does this person comply with the constraints I put on them? Do they behave in a trustworthy way? Do they continually demonstrate that they prioritize my child’s welfare? I expect to be told every day what activities my child will be doing, where and with whom, and if that plan changes significantly I want to be informed. I notice and appreciate the effort put into thinking about new and interesting things to do. I require any welfare issues to be brought to my attention immediately. I want to be regularly briefed on how my child is developing. I love receiving photos during the day, or little messages about new things that he has tried and how he has responded. All these behaviors and patterns of activity reinforce my trust on a daily basis.
In the world of SoCs, we can similarly think about layers of trust. At a foundational level, we can limit access to secure areas to those who hold the correct key. Then, to verify the facts, we can also ask – who are you, and are you authorised to hold this key?
However, this would be quite easy to subvert if someone was motivated to do so. What would be more difficult to subvert would be an additional, more complex trust model based on observing and verifying behavior over a period of time. Who normally accesses this area and with what frequency? After this access, what do they typically do next? What kind of access patterns do we normally see?
UltraSoC on-chip monitoring and analytics capabilities allow us to build exactly this kind of behavioral model of “normal” or “expected” behavior on an SoC, and then monitor for anomalies against this model. Depending on the specific application and the nature of the anomaly, various responses can be triggered … an anomalous access attempt can be allowed but recorded, allowed but an alarm raised, blocked and the originator is notified, blocked and the originator is not notified, blocked and an alarm raised etc.
This capability takes the “Trust, but verify” idea to the next level, offering a very powerful additional layer of security and trust which can be layered on top of more traditional models.
We are excited to be working with lead customers to implement this technology for security and safety-critical systems.