91³Ô¹ÏÍø

Overview

Intel, a global leader in microprocessors was seeking to enhance its hardware security verification. To maintain their high security standards, they needed an autonomous solution that could seamlessly integrate with their existing Synopsys VCS simulation flow, offering visualization and understanding of potential critical data leaks without altering design behavior.

Intel

Previously, we struggled to wrap our heads around security bugs. We had no easy way to see what was happening. Integrating Synopsys VCS Taint Propagation into our workflow aided us in several ways. First, it provided assurance by replicating a previous real-world vulnerability. Then, through random and adversarial testing, it expanded our discovery of potential security gaps. Lastly, it made debugging and communicating complex scenarios easier by making these threats more accessible and understandable to our team, including folks unfamiliar with security."

Jean-Philippe Martin

|

Security Lead, Intel

Challenges

Some of the dimensions of primary concern when designing secure products:
  • Data Confidentiality: When designing RTL, we need to ensure a level of confidence that the design will function as intended and is free from known vulnerabilities that could lead to violation of confidentiality leaks. Sensitive information has to be protected from unauthorized access (malicious and/or accidental) or disclosure (unintended leak).

  • Integrity Assurance: Violation of integrity can occur due to unauthorized changes, faulty components, malware, or data corruption. These occur in the control logic and compromise reliability, correctness, and trustworthiness.

  • Availability: Architecture and implementation of systems should take into consideration potential ways (malicious or accidental) that functionality might be interrupted. This could include tampering with software or fuses so that the design does not work as intended, blocking traffic due to misconfigurations or resource exhaustion, and physical destruction of part of the design through physical or software attacks.

    Data Lifetime Analysis: SoCs manage a range of confidential or proprietary data assets, including proprietary software, firmware, OEM data, personal user information, and machine learning data sets. Assessing where and how long data can remain in parts of the system is crucial to understanding potential vulnerabilities and designing mitigations to limit exposure of critical data.

Figure 1: The CIA Triad

Solution

To address these challenges, Intel implemented Taint Propagation (T-prop) - a dynamic solution in VCS to assess the confidentiality and resiliency of a hardware design at the RTL level. VCS propagated the taint along a signal wherever the elaborated design had T-prop instrumented. Key features of the solution for include:

  • Seamless Integration: The T-prop solution works within the existing VCS environment without altering the design behavior.

  • Support for Data Path and Control Logic: Allows ¡°tainting¡± (or tagging) of signals then monitors its reach and interaction with the system. T-Prop can be applied to other use-cases such as  sensitive data tracing, control tracing and clock diffusion.

  • Ease-of-Debug: Within the tool there are two main ways to observe identified taints - create a sample point in the design or use natively integrated Synopsys Verdi to inspect visually.

Figure 2: Tainting of a Signal - Shown in Purple

Results

As part of the customers proof of concept, T-prop was tested on various RTL coding styles and various design sizes at the IP and Die/System level. Several benefits were observed:

  • Data Confidentiality: To test for data leak visualization in the past, known data patterns were used to visually track data flow and storage. With the use of T-prop in VCS, the data paths could be automatically identified and visualized in Synopsys Verdi. 

  • Integrity Assurance: A past real-world security vulnerability in control logic was successfully reproduced with T-prop. During this process, a non-security related logic power gating bug was also found. T-prop was used to create security scenarios, like field fuzzing and shape fuzzing, in the control logic to test resilience.  

Intel¡¯s use of T-prop made for a thorough verification process to ensure that RTL data confidentiality and integrity was maintained, protecting it against potential security breaches and maintaining customer trust.