As CPU Materials Get Thinner, Security Risks Grow - Report

News
By Lucian Armasu
published

(Image credit: Shutterstock)

As CPUs are being made with thinner materials, this is creating attack vectors for side-channel attacks, according to a report from Semiconductor Engineering this week. The noise and electromagnetic radiation emitted by the thinner chips has become increasingly easier to observe by attackers, allowing for better penetration from methods used to steal chips' encryption keys and IP.

The report cites U.S. Department of Defense agency DARPA, Synopsys (which makes tools for silicon chip design, verification and more), Ansys (which makes engineering simulation software), Siemens and more. It details how semiconductors are becoming more vulnerable to security threats with "each new process node," thanks to thinner dies and insulation layers.

Side-Channel Attacks

The threat is expected to grow to larger as more of these chips start getting adopted in more safety-critical applications. As noted by Semiconductor Engineering, the increasing number of attacks on computer supply chains has convinced many companies to adopt the "zero-trust manufacturing" model, where the manufacturers trust no supplier by default and implement means of protecting against potential malicious components.

As chips have gotten smaller and have started emitting electromagnetic radiation and other types of noise, supply-chain hackers have become more sophisticated in how they steal sensitive data from chips, as well as chip technology IP. 

Designing for Security?

It’s not easy to solve critical security issues with chips that weren’t designed for security from the start. Although such features can impact performance, it should be much more preferable to having to patch security holes in software later on. Intel experienced this first-hand with all the speculative execution vulnerabilities that were discovered in its CPUs

Security Everywhere

More people in the semiconductor industry are realizing that at least some level of built-in security needs to exist.

Arm has already begun implementing a similar plan for Arm-based IoT devices called the Platform Security Architecture. The vendor offers an open-source reference firmware, security rules and dedicated security chips that all partners can implement in their edge devices by default. Partners are also free to add even more security features to their own devices (however likely or unlikely that may be). 

One major benefit vendors could potentially get out of this, besides protecting customer data, is cost savings as less bug fixes and/or recalls are needed down the road.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
See more CPUs News
19 Comments Comment from the forums
  • InvalidError
    Spectre and friends have nothing to do with chips getting 'thinner' or radiating more stuff, they are timing-based attacks on the architecture that span products from 10nm through 100+nm.

    The more complex architectures get, the more likely they are to have some unforeseen interactions between features that can at least hypothetically be exploited.
    Reply
  • bit_user
    I wonder if they could do something like intentionally adding some jitter to their clock signals, to make snooping harder.
    Reply
  • bit_user
    InvalidError said:
    Spectre and friends have nothing to do with chips getting 'thinner' or radiating more stuff, they are timing-based attacks on the architecture that span products from 10nm through 100+nm.
    If you read closely, he was using them to make the case that Intel hasn't been prioritizing security - not saying they were at all related to manufacturing tech. So, to the extent that mitigating these RF and other sorts of vulnerabilities requires a design-for-security mentality, we're still short on evidence that Intel is up to the challenge.
    Reply
  • InvalidError
    bit_user said:
    So, to the extent that mitigating these RF and other sorts of vulnerabilities requires a design-for-security mentality, we're still short on evidence that Intel is up to the challenge.
    Are RF side-channel exploits really a thing? In the real-world, CPUs and GPUs are under a heatsink, so reading a chip using RF requires removing the heatsink and IHS where applicable first. When you have physical access to a chip, there aren't many limits to what you can do. If you are desperate enough to get the cryptographic root keys out of a secure enclave type sybsystem, you can hypothetically lap the chip to expose the memory cells holding the keys and read them with something like an atomic force microscope.
    Reply
  • bit_user
    InvalidError said:
    Are RF side-channel exploits really a thing?
    I don't know. I'm just explaining how I read the article.

    The original article has a lot more detail:

    https://semiengineering.com/new-security-risks-create-need-for-stealthier-chips/
    I think it's healthy for some (like DARPA) to err on the side of paranoia, rather than complacency. Anyway, post up your thoughts, if you decide to read it.

    InvalidError said:
    If you are desperate enough to get the cryptographic root keys out of a secure enclave type sybsystem, you can hypothetically lap the chip to expose the memory cells holding the keys and read them with something like an atomic force microscope.
    Yeah, sounds reasonable, though I'm hardly a microelectronics engineer.

    But, what if you're trying to eavesdrop on some key that's not burned into the on-chip ROM? Maybe it's sent over the network, and the code is executing in ring-zero and using an encrypted memory segment.
    Reply
  • InvalidError
    bit_user said:
    But, what if you're trying to eavesdrop on some key that's not burned into the on-chip ROM? Maybe it's sent over the network, and the code is executing in ring-zero and using an encrypted memory segment.
    The part of the paper concerning thinner chips is about how thinner chips make it easier to observe chip operation for reverse-engineering and data extraction purposes. I'm pretty sure you are going to notice if someone attaches a 1000kg optical bench to your phone's SoC for an electroluminescence attack. Those aren't drive-by RF/optical/acoustic/etc. exploits, merely cheaper, faster and less destructive alternatives to atomic force microscopy and other similar means of reverse-engineering and extracting data from chips.

    The implication here is simply that secrets buried in silicon can't be considered as secret for much longer, at least not without further obfuscation efforts.
    Reply
  • DavidC1
    What a funny world we live in. Damn arms race for security. Reports of people losing funds or getting hacked are going to become more prevalent then.

    1 person acting maliciously is enough to ruin the lives of a thousand. The problem with this absolute paranoia approach is that its going to ripple throughout all parts of security.

    Do you know what's going to happen when trust falls so completely that you have to be suspicious of everyone all the time?
    Reply
  • escksu
    Doesn't make any sense to me. I do agree that more noise is made. But the whole server is sealed in a big metal box. Then its in a rack and in a room.... Someone has to be physically there to observe the noise.

    An then, hackers usually does it remotely. There is no way to monitor such noise remotely (without installing sensors on-site).

    If a hacker could get to your server physically, such side channels blah blah isn't the thing you would be worried about.
    Reply
  • InvalidError
    escksu said:
    Doesn't make any sense to me. I do agree that more noise is made. But the whole server is sealed in a big metal box. Then its in a rack and in a room.... Someone has to be physically there to observe the noise.
    Unless your server's hardware is unique in the world, it likely contains multiple chips that share common secrets with every other similar chip in the world. Hackers don't need to get your specific server, they only need to get any of those other chips to expose those common secrets and build from there.

    In the case of breaking through Apple's Secure Enclave, you can buy a bunch of iPhones and use them to train your bench to figure out where the bits you need access to for extracting password hints are on the SoC before making any attempts on your victim device(s).

    The point is that designs that were formerly thought to be pretty secure may not be considered secure for much longer.
    Reply
  • joeblowsmynose
    InvalidError said:
    Spectre and friends have nothing to do with chips getting 'thinner' or radiating more stuff, they are timing-based attacks on the architecture that span products from 10nm through 100+nm.

    The more complex architectures get, the more likely they are to have some unforeseen interactions between features that can at least hypothetically be exploited.

    Yes exactly - the article conflates two entirely different things.

    I'm pretty sure the fear of EMR leakage that may potentially leak "data" is still very much in the speculation phase - based around the idea that the thinner the nodes and materials get the more noise would radiate. I have a hard time believing this has actually even been proven yet, or the devices to take advantage of such a thing probably don't actually exist ... yet (if ever).

    Side channel attacks and all that is something entirely different - not related to EMR leakage at all ...
    Reply