Considering Software Protection for Embedded Systems

April 1, 2010

Air Force Research Laboratory, Wright-Patterson Air Force Base, Ohio

Given the current trend of reprogrammable embedded devices within the Department of Defense and industry, attention needs to be refocused on the benefits or measurability of software protection applied to this domain. Modern reconfigurable embedded systems consider circuits as software and the tamper methods applicable to physical circuits as new threats to a broadened definition of software. In the traditional sense, software referred to the bits (1s and 0s) representing language statements that could be executed on hardware processors. Today, embedded systems utilizing field-programmable gate arrays (FPGAs) realize circuits merely by downloading a sequence of bits that instantiate gates, controllers, arithmetic logic units, crypto circuits, and even processors. Thus, a circuit implemented on embedded systems utilizing an FPGA is essentially software.

Considering the proliferation of embedded systems with reprogrammable hardware components in both commercial and military sectors, one can show the impact of malicious activity geared to reverse-engineer, tamper, or copy critical technologies residing in those systems.

The semantics (or black-box behavior) of a circuit consist of only the input and

output signal pairs. Intuitively, one way to think of circuit protection is the act of hiding all intermediate transitions that transform input to output. The collection of these transitions, in essence, represents the intellectual property of a circuit. Without knowledge of the original intermediate transitions, no human or automated process may derive other information about the original circuit such as topology, signal definitions, or component definitions.

To protect a circuit, one can replace the original circuit with a semantically equivalent version (one which does the same function) that hides the intellectual property of the original in some definable or measurable way. This formulation restates the essence of a virtual “black box” because it defines full protection as a replacement circuit that does not leak any more information relative to an original circuit (other than its input/output characteristics). In more practical settings, the goal of using a replacement circuit becomes obscuring the original circuit in some way so that the cost of reverse engineering is maximized, while operation characteristics of the circuit are not degraded beyond an acceptable level.

There are a number of different ways to discover and alter the functionality of a circuit. The term “tampering” refers to broad categories of circuit exploitation, including subversion, modification, and reverse engineering. Reverse engineers typically target reproduction of a circuit’s functionality, usually for capital gain or malicious intent. Specific attacks can be roughly categorized as brute force, white box/gray box, side-channel, and fault-injection.

Fault injection is a generic term describing the injection of faults into digital systems using a variety of attacks — raising voltage higher or lower than system tolerances, inducing voltage spikes, or introducing clock glitches. An adversary may use fault injections with realized circuits in order to reduce encryption strength via key-space reduction. This exploit requires internal circuit access and reduces the goal of the adversary from using brute-force methods to interrupt the successful encryption/decryption process itself.

This work was done by Yong C. Kim and Lt. Col. J. Todd McDonald of the Air Force Institute of Technology. For more information, download the Technical Support Package (free white paper) at www.defensetechbriefs.com/tsp under the Information Sciences category. AFRL-0145