Lattice Blog


Cyber Security Trends and Standards in Automotive FPGAs

Cyber Security Trends and Standards in Automotive FPGAs
Posted 07/06/2021 by Eric Sivertson

Posted in

Recently, I co-hosted a Virtual Seminar on Cyber Security Trends and Standards in Automotive FPGAs. If you missed the live event, you can watch a recording of the seminar.

This was the second security seminar from Lattice, and we plan on making this a quarterly event. This time, I was joined by a number of panel members, including Sylvain Guilley, who is CTO and Co-Founder of the security science company Secure-IC, and JP Singh, Product Marketing Manager of our Automobile segment here at Lattice.

I kicked-off the proceedings by introducing the concepts of supply chain security, cybersecurity, and cyber resiliency. The problem in the case of the supply chain is that it’s getting harder and harder to trust anyone these days. As we all know after hearing about the Zombie Zero attack, even if your contract manufacturer is considered secure, it’s still possible for your systems to be compromised if the contract manufacture is working in cahoots with a hacker.

Lattice’s solution to address supply chain security is the Lattice SupplyGuard™ service. As part of a service subscription, the Lattice MachX03D™ and Mach™-NX FPGAs can be delivered to your contract manufacturer preloaded with a lock program and cryptographic keys that are independent of the supply chain and customer. In this case, the FPGA effectively acts as its own HSM. The lock program disables all of the traditional programming ports. The only way to re-program the device is to present it with an image that was encrypted with a key required by the locked part and not exposed to the supply chain. The part then enables ownership transfer within itself in a protected and secure way, dramatically reducing the attack surface throughout the supply chain.

A key (no pun intended) aspect of this is the dual-boot capability of the MachXO3D and Mach-NX FPGAs, which means that while one program is running, a new program can be loaded into a separate area of the Flash memory. The program that’s currently running authenticates the new program. Once the new program has been authenticated, it will be loaded into the other flash segment. If anyone attempts to mount a cyber attack -- such as cycling the power -- while any of this is going on, the device will revert to its original locked program. It’s only after the device has securely transferred IP ownership that the older program and its associated keys are removed.

The same process is repeated by anyone in the supply chain (like an OEM or ODM). The only way they can load a new encrypted image is if that image contains the appropriate cryptographic key required to transfer ownership to the new updated image. The result is what we at Lattice call “Secure Ownership Transfer,” the main feature of which is that no one in the supply chain is ever provided with access to any of the cryptographic keys or unencrypted versions of a customer’s IP.

Another area where Lattice is providing leading edge solutions in in the realm of cyber resiliency. Cyber security involves trying to keep the bad guys out of your system. The problem is that if you are considered to be a sufficiently valuable target, you are going to be attacked; it’s not a case of “if”, it’s a case of “when”. Cyber resiliency refers to the system’s ability to keep on working when it is attacked, which includes the concept of platform firmware resiliency (PFR).

As defined by the NIST SP 800 193 Platform Firmware Resiliency guidelines, PFR involves protection, detection, and recovery. Protection includes protecting the platform’s firmware and critical data from corruption and ensuring the authenticity and integrity of any firmware updates. Detection includes cryptographically detecting corrupted platform firmware and critical data when the system is first powered on, while the system is running, and following any in-system updates. Recovery includes initiating a trusted recovery process and restoring any corrupted platform firmware and critical data to its previous uncorrupted value.

In conjunction with the Lattice Sentry™ solution stack, MachX03D and Mach-NX FPGAs fully address cyber resiliency requirements by providing features like secure dual-boot. Once the system is up and running, the MachX03D and Mach-NX devices continue to maintain cyber resiliency by protecting, detecting, and recovering themselves from malicious attacks. Furthermore, the massively parallel processing capability of their programmable fabric gives these devices the ability to protect, detect, and recover other platform firmware elements at the same time, extending trust throughout the system.

I closed my portion of the presentation by showing a scary video. You may recall an article in WIRED magazine from 2015: Hackers Remotely Kill a Jeep on the Highway—With Me in It. The hackers in question were Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of Vehicle Security Research at IOActive. Although they were 10 miles away from the vehicle, Charlie and Chris started off by taking control of things like the air-conditioning, entertainment system, and windshield washers/wipers. Then they got more serious and cut the transmission!

As a result, Jeep had to recall 1.4 million vehicles. Following this recall, Charlie and Chris continued to probe the Jeep’s cyber defenses. Just one year later, in 2016, now working at Uber's Advanced Technology Center, they showed how an attack could be mounted by plugging a laptop computer into the car’s CAN network. This new attack was detailed in a follow-up WIRED column: The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse. The video I showed reflects this second attack, thereby providing a classic example of a system that is not cyber resilient.

Following this video, I handed the presentation over to JP Singh, who talked about the current trends in automotive that are driving the need for cyber security and cyber resiliency, including the demand for smart, intelligent, and connected vehicles. JP then introduced the various vectors that can be used to mount attacks on automotive systems, including things a lot of people wouldn’t think of like spoofing the sensor data, thereby causing safety systems and autonomous systems to make bad decisions. Next, JP walked us through a series of use-cases showing how various automotive systems might be attacked, and how these attacks can be defeated if the systems are cyber resilient.

JP then handed the baton to Sylvain Guilley from Secure-IC, which is one of Lattice’s security partners and which offers a wide variety of soft IP and hard IP cryptographic solutions, tools, and services. Sylvain started by explaining Secure-IC’s PESC approach, which guides developers in identifying security needs and creating certified solutions (PESC stands for Protect, Evaluate, Service, and Certify). He also gave a brief introduction to Secure-IC’s best-in-class protection technologies, integrated Secure Elements (iSE), and security IP (Securyzr), along with evaluation tools for security assurance and certification readiness (Laboryzr), and consulting expertise and security assessment services (Expertyzr). The popularity of Secure-IC’s offering is evident in the fact that the company is currently deploying over 1 billion IP blocks every quarter.

At the end of the day, this was a very informative event that was well-received by the audience. Once again, if you weren’t able to join the live event, I would urge you to watch the video of the seminar.