91³Ô¹ÏÍø

Meet Both Security and Safety Needs in New Automotive SoCs with ARC SEM130FS Processor

Omar Cruz, Product Marketing Manager, ARC Processor IP, Synopsys

With advances in hardware and software, smart vehicles are improving with every generation. Capabilities that once seemed far-off and futuristic¡ªfrom automatic braking to self-driving features¡ªare now either standard or within reach. However, as vehicle architectures evolve, the ways that both security and safety can be addressed at the system-on-chip (SoC) level also must evolve. 

Cars are increasing in connectivity and complexity. With over-the-air updates, 5G connections, and vehicle-to-vehicle communication, more data is moving between cars, servers, and infrastructure ¨C bringing a potential threat of valuable information being intercepted by hackers or attackers. 

Attacks on connected cars can come in many forms (Figure 1). For example, attackers can get the unique ¡®key¡¯ information from keyless car systems with vulnerabilities, allowing easier car break-ins; cars can be hacked by a virus downloaded to a phone that is then connected to the infotainment system; or automotive chips with poor security can run in a test or debug mode that allows unauthorized users with physical access to obtain enhanced privileges on the system. Adding cybersecurity protection into vehicles helps to protect automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation of the system.

Highly connected vehicles offer many attack surfaces to hackers

Figure 1: Highly connected vehicles offer many attack surfaces to hackers

In addition, almost every automotive chip now requires some level of functional safety capabilities. Meeting functional safety standards in the vehicles¡¯ electrical/electronic systems helps to make sure everything works the way it¡¯s supposed to while protecting the passengers. Meeting the ISO 26262 standard helps to ensure the ¡®absence of unreasonable risks due to hazards caused by malfunctioning behavior of electrical/electronic systems¡¯. To meet ISO 26262 functional safety standards, designers need to address both systematic faults and random (permanent or transient) hardware faults. 

Systematic faults are applicable to both hardware and software and are introduced through the development of the hardware and software modules. Systematic faults can be prevented by a rigorous IP/SoC development process. On the other hand, random hardware faults occur unpredictably during the lifetime of the device. Permanent random faults persist indefinitely (or at least until repair) after their occurrence, e.g., an alpha particle flipping a bit. Redundancy and continuous checks that are carried out during mission time can be built into the system to mitigate random faults. 

Because of the evolving security threats combined with new standards and market requirements, designers are looking for a clear path to incorporate both security and safety into their SoCs. However, the complexity of new designs means that adding functional safety features and security features as discrete functions might not result in an optimal solution. Developing SoCs for safety-critical and secure automotive applications requires both protection against malicious attacks and functional safety capabilities from the start. Addressing both functionalities from the design stage and from processor selection will enable a new generation of safe and secure cars.

Safety and Security Processors

Companies need to treat the security and the safety aspects of new automotive SoCs holistically. The SoC needs to protect the system from malicious attacks while preventing systematic and random faults and meeting the most stringent safety requirements. 

Synopsys¡¯ ASIL D Compliant DesignWare? ARC? SEM130FS Safety and Security Processor IP helps designers to protect safety-critical systems against software, hardware and side-channel attacks. The processor¡¯s ASIL D compliance covers both random (transient and permanent) hardware faults and systematic faults with a comprehensive set of automotive documentation. The ARC MetaWare Toolkit for Safety with ASIL D Ready certified compiler generates ISO 26262 compliant code (Figure 2).

 

Synopsys ARC SEM 130FS Safety & Security Processor block diagram

Figure 2: Synopsys ARC SEM 130FS Safety & Security Processor block diagram

Security Features in ARC SEM130FS Safety and Security Processor

The ARC SEM130FS Safety and Security Processor provides integrated security features for embedded applications where protection from logical, hardware and physical attacks is an essential element, in addition to high performance and minimum power consumption.  

Logical Tampering Protection

The SEM130FS Processor offers a set of features to provide hardware enforced software security, including trusted execution environment hardware implementations, memory protection unit to stack and code protection, and secure custom instructions to add flexibility into the SoC design. These logical protection features include:  

  • SecureShield? technology:  Enables system designers to develop a trusted execution environment and to isolate security related and standard core operations with secure and normal modes for both kernel and user (Figure 3) 
  • Enhanced Secure Memory Protection Unit: Up to 16 configurable protected regions and per region scrambling capability defines an area of memory (MPU region) as secure or normal. Secure MPU regions can be accessed only in the secure operating mode while Normal MPU regions can be accessed from the normal and secure operating modes  
  • Optional Stack Protection: Hardware that can be programmed to check for overflow or underflow of reserved stack space 
  • Optional Code Protection: Hardware and external pins that can block read or write access to individual memory regions 
  • Optional Secure Custom Instructions: Co-processors in a trusted mode that boost the performance of the device, improving efficiency while reducing power consumption  

Physical Tampering Countermeasures

From a first glance, physical attacks might not seem as important as remote attacks in the automotive space. However, there are several reasons why physical attack countermeasures are mandatory in automotive SoC designs. Side channel attacks are one type of physical attack, where potentially sensitive information can be retrieved by monitoring the signals from the electronic devices present in the car or attackers accessing the automotive system via the debug port. The ARC SEM130FS Processor provides a set of protective features to avoid physical tampering attacks: 

  • Side-Channel Attack Protection: Offers uniform instruction timing and timing/power randomization, increasing resistance to simple and power differential analysis  
  • Fault Injection Attack Detection and Protection: Offers data and instruction path integrity checking  
  • Secure Debug: Works with explicit unlock of ARC SEM Secure Processor debug port for secure or normal access 
  • Tailored in-line instruction and data scrambling: Protects customer algorithms from reverse engineering and IP theft 
  • Watchdog timer: Detects tamper-related system failures and enables countermeasures 

Functional Safety with ARC SEM130FS Processor

In addition to extensive security features, the ARC SEM130FS Safety and Security Processor simplifies development of safety-critical applications and accelerates ISO 26262 certification of automotive SoCs by providing an ASIL-D certified compliant solution with all the necessary hooks and safety mechanisms needed in in the automotive environment. These key features include:  

  • Pre-verified Dual-core, Lock-Step Processor: Safety implementation based on low power SEM security processors  
  • Safety Monitor: Provides monitoring to ensure the main core and the shadow core maintain lockstep operation  
  • Error detection and correction logic (ECC): Addresses data and address errors on closely coupled memories 
  • Integrated Watchdog Timer: Enable countermeasures to help recovering from a deadlock situation I

Beyond the Processor IP

The DesignWare ARC SEM130FS Processor, as well as the rest of the DesignWare ARC Functional Safety Processors, go above and beyond the processor IP itself by supporting a comprehensive safety documentation to ease the SoC certification process. Some of these safety documents provided by Synopsys include:  

  • Quality Manual from the Quality Management System (QMS) of Synopsys¡¯ IP business unit  
  • Design Failure Mode and Effect Analysis (DFMEA) focused on avoidance of potential systematic failures 
  • Failure Modes, Effects, and Diagnostic Analysis (FMEDA) focused on evaluation of random hardware fault metrics, including both permanent and transient faults 
  • Safety Manual, including descriptions of, as applicable, internal and external safety mechanisms and assumptions of use 
  • Dependent Fault Analysis (DFA) covering common case faults and cascading faults (if applicable) 
  • Safety Case Report denoting references to evidence that Synopsys will utilize internally as part of reviews and assessments 
  • ISO 26262 Assessment Report of ASILB random hardware fault plus ASIL D systematic. This assessment is performed and the report is generated by Synopsys¡¯ internal independent functional safety group  

To complement this already robust and complete safety and secure solution from the DesignWare ARC processors, the ARC SEM130FS Safety and Security processor is also supported by the MetaWare for Safety Toolkit which facilitates the development of ISO 26262-compliant software. The MetaWare compiler toolchain is ASIL D certified and includes a safety manual and a safety guide to help developers meet the requirements of the ISO 26262 standard and prepare for compliance testing of their safety-critical systems. 

Conclusion

A combination of safety and secure capabilities within the automotive SoCs has now turned into the next-generation trend to address the new automotive cybersecurity requirements for potential malicious attacks as well as the mitigation of systematic and random faults in the functional safety space. In order to ensure these connected cars behave as it is expected, the safety and security features should be architected from the design/hardware stage in a holistic manner.   

Synopsys DesignWare ARC SEM130FS Safety and Security Processor IP meets these demands by offering an ASIL-D compliant processor protecting from both, systematic and random faults while at the same time providing all the security capabilities to enable trusted execution environment, side-channel attack resistance and physical tamper detection to meet the new requirements in the next-generation automotive designs. The DesignWare family of processors also provide more than the right processor IP by enabling the SoC developers with a comprehensive set of functional safety documentation as well as an ASIL-D certified compiler to facilitate the development of an ISO 26262-compliant software.  

 

Additional Resources:

  • Blog:?

  • News:?