Mary Yeoh Intel Penang Design Center (ipdc) Intel Corporation Penang, Malaysia

Similar documents
Intel Desktop Board DZ68DB

Intel 945(GM/GME)/915(GM/GME)/ 855(GM/GME)/852(GM/GME) Chipsets VGA Port Always Enabled Hardware Workaround

LED Manager for Intel NUC

INTEL PERCEPTUAL COMPUTING SDK. How To Use the Privacy Notification Tool

Evolving Small Cells. Udayan Mukherjee Senior Principal Engineer and Director (Wireless Infrastructure)

Intel 848P Chipset. Specification Update. Intel 82848P Memory Controller Hub (MCH) August 2003

Installation Guide and Release Notes

Intel Desktop Board D946GZAB

Intel Desktop Board D975XBX2

Intel Desktop Board DG41CN

Intel Desktop Board DH61SA

Intel G31/P31 Express Chipset

Intel Desktop Board D945GCLF2

Intel Cache Acceleration Software for Windows* Workstation

Intel Desktop Board DG31PR

Intel Desktop Board DP67DE

Intel Desktop Board D945GCCR

Intel Desktop Board DG41RQ

How to Create a.cibd File from Mentor Xpedition for HLDRC

Extending Energy Efficiency. From Silicon To The Platform. And Beyond Raj Hazra. Director, Systems Technology Lab

How to Create a.cibd/.cce File from Mentor Xpedition for HLDRC

Installation Guide and Release Notes

Intel Desktop Board DH61CR

Sample for OpenCL* and DirectX* Video Acceleration Surface Sharing

The Intel Processor Diagnostic Tool Release Notes

Intel Desktop Board DP55SB

Upgrading Intel Server Board Set SE8500HW4 to Support Intel Xeon Processors 7000 Sequence

Intel Desktop Board D945GCLF

Intel Desktop Board DP45SG

OpenCL* and Microsoft DirectX* Video Acceleration Surface Sharing

Intel Desktop Board DH55TC

Intel Open Source HD Graphics Programmers' Reference Manual (PRM)

Risk Factors. Rev. 4/19/11

Drive Recovery Panel

Intel Parallel Studio XE 2011 for Windows* Installation Guide and Release Notes

Intel Atom Processor E3800 Product Family Development Kit Based on Intel Intelligent System Extended (ISX) Form Factor Reference Design

Intel Desktop Board D845PT Specification Update

Software Evaluation Guide for ImTOO* YouTube* to ipod* Converter Downloading YouTube videos to your ipod

Non-Volatile Memory Cache Enhancements: Turbo-Charging Client Platform Performance

Device Firmware Update (DFU) for Windows

Intel Atom Processor E6xx Series Embedded Application Power Guideline Addendum January 2012

Migration Guide: Numonyx StrataFlash Embedded Memory (P30) to Numonyx StrataFlash Embedded Memory (P33)

Intel RealSense Depth Module D400 Series Software Calibration Tool

Intel USB 3.0 extensible Host Controller Driver

Intel Desktop Board D102GGC2 Specification Update

Intel and the Future of Consumer Electronics. Shahrokh Shahidzadeh Sr. Principal Technologist

Intel & Lustre: LUG Micah Bhakti

Intel 6400/6402 Advanced Memory Buffer

Forging a Future in Memory: New Technologies, New Markets, New Applications. Ed Doller Chief Technology Officer

Intel Atom Processor D2000 Series and N2000 Series Embedded Application Power Guideline Addendum January 2012

Intel vpro Technology Virtual Seminar 2010

Intel Desktop Board DQ35JO

Techniques for Lowering Power Consumption in Design Utilizing the Intel EP80579 Integrated Processor Product Line

Innovating and Integrating for Communications and Storage

Intel Desktop Board DQ57TM

Intel Desktop Board D915GUX Specification Update

Intel Desktop Board D915GEV Specification Update

Intel Parallel Studio XE 2011 SP1 for Linux* Installation Guide and Release Notes

Mobile Intel Pentium 4 Processor-M and Intel 852PM/GME/GMV Chipset Platform

Intel Integrated Native Developer Experience 2015 Build Edition for OS X* Installation Guide and Release Notes

SELINUX SUPPORT IN HFI1 AND PSM2

HPCG on Intel Xeon Phi 2 nd Generation, Knights Landing. Alexander Kleymenov and Jongsoo Park Intel Corporation SC16, HPCG BoF

Intel 852GME/852PM Chipset Graphics and Memory Controller Hub (GMCH)

Installation Guide and Release Notes

ECC Handling Issues on Intel XScale I/O Processors

Intel IXP42X Product Line of Network Processors and IXC1100 Control Plane Processor: Boot-Up Options

Bitonic Sorting. Intel SDK for OpenCL* Applications Sample Documentation. Copyright Intel Corporation. All Rights Reserved

Intel Transparent Computing

Intel Parallel Studio XE 2015 Composer Edition for Linux* Installation Guide and Release Notes

Intel Server Board S2600CW2S

Intel X48 Express Chipset Memory Controller Hub (MCH)

Intel Core TM Processor i C Embedded Application Power Guideline Addendum

Theory and Practice of the Low-Power SATA Spec DevSleep

Intel Setup and Configuration Service. (Lightweight)

GUID Partition Table (GPT)

Intel Core TM i7-4702ec Processor for Communications Infrastructure

Installation Guide and Release Notes

Optimizing the operations with sparse matrices on Intel architecture

Intel Open Source HD Graphics, Intel Iris Graphics, and Intel Iris Pro Graphics

Intel Learning Series Developer Program Self Verification Program. Process Document

Intel RealSense D400 Series Calibration Tools and API Release Notes

Software Evaluation Guide for WinZip 15.5*

Recommended JTAG Circuitry for Debug with Intel Xscale Microarchitecture

Clear CMOS after Hardware Configuration Changes

Enabling DDR2 16-Bit Mode on Intel IXP43X Product Line of Network Processors

Intel 865PE/P Chipset

Software Evaluation Guide for Photodex* ProShow Gold* 3.2

Product Change Notification

2013 Intel Corporation

Bitonic Sorting Intel OpenCL SDK Sample Documentation

Version 1.0. Intel-powered classmate PC Arcsoft WebCam Companion 3* Training Foils. *Other names and brands may be claimed as the property of others.

Intel Cache Acceleration Software - Workstation

Intel Desktop Board D945GSEJT

Intel Parallel Studio XE 2011 for Linux* Installation Guide and Release Notes

Solid-State Drive System Optimizations In Data Center Applications

Intel vpro Technology Virtual Seminar 2010

82551QM/ER/IT Fast Ethernet PCI Controller MDI-X Functional Overview. Application Note (AP-472)

Open FCoE for ESX*-based Intel Ethernet Server X520 Family Adapters

Intel 865G/865GV/865PE/865P Chipset

Embedded and Communications Group January 2010

Transcription:

Beyond the Focus Penetration Testing in Future Hardware Fuzzing the RTL Mary Yeoh Intel Penang Design Center (ipdc) Intel Corporation Penang, Malaysia

Legal Disclaimer Today s presentation may contain forward-looking statements. All statements made that are not historical facts are subject to a number of risks and uncertainties, and actual results may differ materially. Please refer to our most recent Earnings Release and our most recent Form 10-Q or 10-K filing available on our website for more information on the risk factors that could cause actual results to differ. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The Intel Core Microarchitecture, Intel Atom, Intel Pentium, Intel Pentium II, Intel Pentium III, Intel Pentium 4, Intel Pentium Pro, Intel Pentium D, Intel Pentium M, Itanium, Xeon may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. This document contains information on products in the design phase of development. Do not finalize a design with this information. Revised information will be published when the product is available. Verify with your local sales office that you have the latest datasheet before finalizing a design. All dates specified are target dates, are provided for planning purposes only and are subject to change. All products, dates, and figures specified are preliminary based on current expectations, provided for planning purposes only, and are subject to change without notice. Intel and the Intel logo is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands are the property of their respective owners. Copyright 2009, Intel Corporation 2

Agenda Introduction to Chip Design The Problem The Proposal Fuzzing the RTL

Agenda Introduction to Chip Design The Problem The Proposal Fuzzing the RTL

Intel Inside As our future becomes increasingly connected, Intel is developing advanced technologies that are enabling an entirely new line of laptops, (MIDs) Mobile Internet Devices, and more. WiMAX NAND Handhelds Notebook IA Desktop Netbooks/ Nettops Consumer Electronics Server Visual Computing Health Embedded

Sand To Silicon Video

Basic 2-Transistor Gate Technology in Present Day With >100,000,000 transistors in one IC (Integrated Circuit) One Functional Block Level One IC Wafer

Chip Design Process Logic Design process Tapeout Architectural Design Technology Trend Specification µ-arch RTL Logic Design Logic Simulation Gate Level Simulation Physical Design Logic Synthesis Floor plan P&R Clk Tree LVS - DRC

Register Transfer Level (RTL) High-level representation of a circuit Circuit behavior -transfer of data between hardware register -logical operation performed on the signals 2 elements registers and combinational logic Hardware Description Language Verilog, VHDL Verilog RTL Code if (CLK === 1'bX) begin F <= #100 {1{1'bX}}; end else begin F end end <= #100 S ( ~C & F); C S CLK D SET CLR Q Q F

Agenda Introduction to Chip Design The Problem The Proposal Fuzzing the RTL

The Problem Bug, if escapes, could control million of gates -Complexity: many features implemented in a single chip -Hackers: creative, attack methods have no boundary Does it mean an attack cannot be preplanned and it just happens on the platform?

Security Testing in Chip Design Logic Design process Tapeout Architectural Design Technology Trend Specification µ-arch RTL Logic Design Logic Simulation Gate Level Simulation Physical Design Logic Synthesis Floor plan P&R Clk Tree LVS - DRC Security Testing

The Evolution Fuzzing the RTL Focus RTL Testing

Focus Penetration Testing Access Control Entry Point Focus Testing One test per specific target

Dynamic Security Testing-Fuzzing X Access Control Access Control Multiple Access Control -independent Access Control can test at same group of tests Entry Point Input weight Directed Random Testing (Fuzzing) A group of tests targeting sub-domain

Agenda Introduction to Chip Design The Problem The Proposal Fuzzing the RTL

Dynamic Security Testing (DST) Benefit - Coverage comparison DST: capable to generate much higher coverage than pure focus testing Fuzzing Test input to hit all of Comprehensive Attack Scenarios + Specific Attack Scenarios Focus Testing: Testing on specific scenario only Total Security Coverage = Comprehensive Attack Scenarios + Specific Attack Scenarios + Additional Scenarios generated from Fuzzing Total Security Coverage = Specific Attack Scenarios

Agenda Introduction to Chip Design The Problem The Proposal Fuzzing the RTL

How?

Threat Model Access Control Asset (key) Asset (data) Threat Agent

Testing Analysis Access Control Asset (Key) Asset (data) Threat Agent Potential path taken by Threat Agent Logic Path from Threat Agent to Asset

Domain to Test Access Control Asset (Key) Asset (data) Threat Agent Potential path taken by Threat Agent Logic Path from Threat Agent to Asset

Partition the Testing Environment Access Control Asset (Key) Asset (data) Threat Agent Potential path taken by Threat Agent Logic Path from Threat Agent to Asset

CLK RST START MODE LOAD KEY DATA_IN DFT1 DFT2 AES128_FAST DATA_OUT DONE DFTOUT

What can you do to attack a design in RTL phase?

Infrastructure Logic Design process Tapeout Architectural Design Technology Trend Specification Specification RTL code Logic Design µ-arch RTL Logic Simulator Logic Simulation Gate Level Simulation Physical Design Logic Synthesis Floor plan P&R Clk Tree LVS - DRC

Get the Specification Get a product specification Relationship of the Asset, Threat Agent and Access Control according to the specification

Specification an example CLK RST START MODE LOAD KEY AES128_FAST DATA_OUT DONE DFTOUT Requirement The unencrypted/decrypted data, as well as key, are protected from the Threat Agents between the LOAD and DONE assertion. DATA_IN DFT1 DFT2

Get the RTL code Which RTL code used by the product? - Available IPs? - Proprietary IPs? Free open source IP http://www.opencores.org/mailman/listinfo/cores Commercial IP Write your own code, if you are interested, - VHDL Tutorial: Learn by Example http://esd.cs.ucr.edu/labs/tutorial/ Note: For this presentation, the aes_crypto_core was downloaded from OpenCores (www.opencores.org), with some modification.

Get the Logic Simulator - Open source logic simulator - Verilator, VeriWell, etc. - Commercial logic simulators - LogicSim, ModelSim, VCS, etc. - Some may have free version for students - For more complete list, http://en.wikipedia.org/wiki/list_of_verilog_simulators Note: For this presentation, the logic simulator used was VCS

Environment Setup for VCS Installation path Download from VCS Source the setup file synopsys_sim.setup file: - list of libraries - common setting

Analyze the design vhdl file vhdlan <file name> verilog file vlogan <file name> system verilog file vlogan sverilog <file name> Other simple switches -f <file contains list of design file to compile> -work <target library name> NOTE: For this presentation, VHDL code was used.

Elaboration to run in ucli vcs <top module / testbench> to run in gui vcs debug_all <top module / testbench>

Simulation run simulation and stop when $finish is called simv run simulation in ucli simv ucli run simulation in dve simv -gui

Summary steps to bring up RTL Simulation To run the simulation, at the DVE command line, dve> run 3us

Fuzzing the RTL Access Control Threat Agent Asset START DFT1 KEY LOAD DFT2 DATA_IN MODE DATA_OUT CLK -Fuzzing at Access Control and Threat Agent (input) -monitor the Asset An example 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 START 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 LOAD 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 MODE 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DFT1 0 0 1 0 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 1 1 1 DFT2 1 0 1 1 0 0 0 1 0 0 1 0 0 0 0 1 1 0 0 1 1 1

The Results Protected period BUG!!

What Next? Fix the design Test the design fixes until no issue found

Notes For large design Coverage Based Validation method is used, instead of manually examined the waveform

The Benefit This method can be used in any design, if you have the specification and the RTL code If you are the RTL developer, this is a good method to ensure your design can withstand the attack

Acknowledgement Thanks to my colleagues from intel Penang Design Center, Jonie Lim, CP Teh and Thanh Le Nguyen for their contribution in this presentation

Yours Truly mary.siaw.see.yeoh@intel.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback