Transcript Hardware Trust Implications of 3-D Integration Ted Huffmire (NPS), Timothy Levin (NPS), Michael Bilzor (NPS), Cynthia E.

Hardware Trust Implications of
3-D Integration
Ted Huffmire (NPS), Timothy Levin (NPS), Michael
Bilzor (NPS), Cynthia E. Irvine (NPS), Jonathan
Valamehr (UCSB), Mohit Tiwari (UCSB), Timothy
Sherwood (UCSB), and Ryan Kastner (UCSD)
26 October 2010
Workshop on Embedded Systems Security (WESS)
Nile River
•
•
•
•
Mystery on the Nile: Just Whose River Is It?
Ethiopia Claims High Gound in Right-to-Nile Debate
Thirsty Egypt Clings Tight to the Nile
Weekend Edition Sunday (npr.org)
[Koyanagi05]
•
[Koyanagi05]
• Timeline
Alternative 3-D Approaches
• PoP [Lim10]
Wire Bonding (SiP) [Amkor09]
Alternative 3-D Approaches
• PoP [Lim10]
Alternative 3-D Approaches
• [Amkor10]
Alternative 3-D Approaches
• Face-to-Face [Loh07]
Alternative 3-D Approaches
• Face-to-Back [Loh07]
What is 3Dsec?
• Economics of High Assurance
– High NRE Cost, Low Volume
– Gap between DoD and Commercial
• Disentangle security from the COTS
– Use a separate chip for security
– Use 3-D Integration to combine:
• 3-D Control Plane
• Computation Plane
– Need to add posts to the COTS chip design
• Dual use of computation plane
Pro’s and Con’s
• Why not use a co-processor? On-chip?
• Pro’s
– High bandwidth and low latency
– Controlled lineage
– Direct access to internal structures
• Con’s
– Thermal and cooling
– Design and testing
– Manufacturing yield
Thermal Challenges
• Thermal Simulation [Loh06, Melamed09]
Yield Challenges
• Wafer-to-Wafer Bonding [Euronymous07]
Testing Challenges
• [Thärigen10]
Cost
• Cost of fabricating systems with 3-D
– Fabricating and testing the security layer
– Bonding it to the host layer
– Fabricating the vias
– Testing the joined unit
This Paper
• Can a 3-D control plane provide useful
secure services when it is conjoined with
an untrustworthy computation plane?
• Yes, provided:
– Self-protection
– Dependency Layering
Face-to-Back Bonding
• [Valamehr10]
Primitives
• [Valamehr10]
Threat Model
• Computation plane
– Unintentional hardware flaws
– Malicious software
• Not in scope
– Malicious inclusions
• Nullify self-protection
– Probing of the control plane
– Compromising RF emissions
Security Model
• Self-protection
– Do not place a post that allows the control
plane to accept extraneous power, requests,
or modifications.
• Layered dependencies
– Control plane should not depend on the
computation plane
Layered Dependencies
• Never depend on a layer of lesser
trustworthiness
Dependency Properties
• Service
– Communication (e.g., I/O)
– Synchronization
• Call
• Resource Creation and Provision
– Storage
• Contention
3-D Application Classes
•
•
•
•
Enhancement of native functions
Secure alternate service
Isolation and protection
Passive monitoring
– Information flow tracking
– Runtime correctness checks
– Runtime security auditing
Design Example
• Secure Alternate Service
Examples of 3-D Systems
• Network-on-Chip [Kim07]
Examples of 3-D Systems
• Network-on-Chip [Kim07]
Examples of 3-D Systems
• Particle Physics [Demarteau09]
Examples of 3-D Systems
• Chip Scale Camera Module [Yoshikawa09]
Examples of 3-D Systems
• 3D-PIC 3-D CMOS Imager [Chang10]
Examples of 3-D Systems
• 3-D Stacked Retinal Chip [Kaiho09]
Examples of 3-D Systems
• 3-D Stacked Retinal Chip [Koyanagi05]
Examples of 3-D Systems
• 3-D FPGAs [Razavi09]
Examples of 3-D Systems
• 3D-MAPS: Many-core 3-D Processor with
Stacked Memory [Lim10]
– Solid work!
Examples of 3-D Systems
• [Eloy10]
Future Work
• Malicious Inclusions
• Off-Chip I/O
– Wireless
– Wired
• Power
• Fault-Tolerant Chips for Critical Systems
Wireless: Capacitive Coupling
• [Kim09]
Wireless: Optical
• Bidirectional Communication [Dietz03]
Questions?
• faculty.nps.edu/tdhuffmi