UK-based embedded monitoring and analytics company UltraSoC used the Arm TechCon 2019 conference in San Jose, California this week to announce the first of a new family of hardware-based intellectual property (IP) products that detect and respond to cybersecurity threats.
Its new Bus Sentinel module enables system-on-chip (SoC) designers to control access to sensitive areas of their devices, instantaneously detect and block suspicious transactions, and build a long-term profile of system operation to secure against current and future cyber threats. It is part of a planned family of hardware-based embedded real-time monitoring IP modules aimed at detecting, blocking and recording cyber-attacks and preventing their propagation primarily in automotive and factory robots.
Aileen Ryan, chief strategy officer for UltraSoC, told EE Times Europe that the company’s monitoring and analytics intellectual property (IP) is already is already well established and is gathering lots of data at chip level. The new family of products now addresses cybersecurity requirements in many applications where over the air (OTA) updates are prone to being infected with a bug or could be hacked. She added, “Because we are in hardware, we’re seeing things at clock speed, we can see the impact of any changes or anomalous behavior, and act in real time. In autonomous vehicles, where we are seeing a lot of interest for this, this is significant, as microseconds matter.”
The module monitors and controls the internal bus of an SoC, observing how the chip’s interconnected sub-blocks are interacting. It can be configured at run time to detect specific transaction types; for example, if a process tries to access the control registers of the memory controller at any time other than a system re-boot; or if a process with insufficient privileges attempts to access a protected area of memory. The detection process itself is performed via a range of configurable filters which can be cascaded to implement complex conditions and detect even very subtle nuances of system behavior.
In addition to its detection functions, the Bus Sentinel can be configured to respond to threats in a variety of ways, also in real time: it can allow the transaction to proceed unmodified; it may block the transaction from proceeding beyond the monitor using a transaction gating technique; it can modify the transaction in some way — for example by marking it with a flag; and it can generate a response on the bus. It can also issue a trigger event across the dedicated UltraSoC communications fabric, allowing an immediate response to be generated by other system blocks, or by external threat mitigation systems.
The system of filters, counters and timers allows the module to be configured to detect common known security threats. These capabilities give the system designer a wide variety of approaches to any given threat vector. Suspicious transactions can be detected and flagged, and subsequent transactions monitored without the attacker’s knowledge, to profile the threat. Transactions can be blocked, with the option to respond to the initiator and gather further information. Or the Bus Sentinel can trigger a response anywhere else within the on-chip system, communicating via the dedicated UltraSoC communications fabric.
The module is equipped with storage units that can record data for use by the filters in future transaction identification. It can also be used in concert with the overall UltraSoC infrastructure to gather rich statistical data. This can be used by an on-chip analytics engine, or passed to an external cloud-based analytics system, to profile the system and produce a “signature” of normal behavior based on many deployed instances of the device. This in turn allows the threat mitigation system to adapt to the rapidly evolving threat landscape.
Unravelling the electronics ‘black box’
UltraSoC’s security IP enables independent internal monitoring systems to be embedded into a chip. This continuously checks that the device is operating as expected, detecting anomalous behavior that might indicate a security breach. Because it is embedded in the hardware, it can respond in real time (in microseconds rather than the milliseconds required by traditional threat mitigation measures), is very hard to subvert or circumvent, and can even block “zero-day” type attacks that the chip’s designers have not anticipated. In addition to detecting and blocking cyber threats, it can be used to trigger actions that prevent propagation, and to provide a forensic “black box” record of events.
Ryan told us that “black box” record is increasingly becoming necessary, for example in the case of autonomous vehicle accidents and determining liability. “We are working on a number of proofs of concept with automotive customers and insurance companies.” Describing the challenge, she said, “Today in the case of an accident it can be established if the liability is with the driver. But tomorrow the responsibility could be with the brand, or someone else in the supply chain. Because we are resident in bare metal, we have access to data that no one else has, since we record the fine-grained data, which can provide detailed evidence of attacks or failures.”
David Rogers, CEO of cybersecurity specialists Copper Horse, commented: “As the threat landscape evolves and the consequences of attacks become more concerning, implementing security features in hardware has many advantages. By putting security at the heart of an SoC, UltraSoC’s technology helps by monitoring, detecting and addressing security concerns at the most fundamental level possible today.” The UltraSoC Bus Sentinel will be generally available in Q1 2020. Its modular design allows it to support any bus protocol, with immediate support for commonly-used on-chip buses including Arm APB, AHB, AXI-4 and ACE.
Nitin Dahad is a Correspondent for EE Times Europe.