As CPUs are being made with thinner materials, this is creating attack vectors for side-channel attacks, according to a report from Semiconductor Engineering this week. The noise and electromagnetic radiation emitted by the thinner chips has become increasingly easier to observe by attackers, allowing for better penetration from methods used to steal chips' encryption keys and IP.
The report cites U.S. Department of Defense agency DARPA, Synopsys (which makes tools for silicon chip design, verification and more), Ansys (which makes engineering simulation software), Siemens and more. It details how semiconductors are becoming more vulnerable to security threats with "each new process node," thanks to thinner dies and insulation layers.
The threat is expected to grow to larger as more of these chips start getting adopted in more safety-critical applications. As noted by Semiconductor Engineering, the increasing number of attacks on computer supply chains has convinced many companies to adopt the "zero-trust manufacturing" model, where the manufacturers trust no supplier by default and implement means of protecting against potential malicious components.
As chips have gotten smaller and have started emitting electromagnetic radiation and other types of noise, supply-chain hackers have become more sophisticated in how they steal sensitive data from chips, as well as chip technology IP.
Designing for Security?
It’s not easy to solve critical security issues with chips that weren’t designed for security from the start. Although such features can impact performance, it should be much more preferable to having to patch security holes in software later on. Intel experienced this first-hand with all the speculative execution vulnerabilities that were discovered in its CPUs.
More people in the semiconductor industry are realizing that at least some level of built-in security needs to exist.
Arm has already begun implementing a similar plan for Arm-based IoT devices called the Platform Security Architecture. The vendor offers an open-source reference firmware, security rules and dedicated security chips that all partners can implement in their edge devices by default. Partners are also free to add even more security features to their own devices (however likely or unlikely that may be).
One major benefit vendors could potentially get out of this, besides protecting customer data, is cost savings as less bug fixes and/or recalls are needed down the road.