This application relates to an electronic system that can be protected from unauthorized access and hardware piracy. This application also relates to a method and an apparatus for designing an electronic system that can be protected from unauthorized access and hardware piracy.
Electronic systems, which include hardware and/or software components, may be implemented on one or more monolithic devices that realize processing or control functions. The monolithic devices are referred to as “chips.” These chips may include processors, Programmable Logic Devices (PLDs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs) and other off-the-shelf (OTS) components. Examples of the PLDs are Field Programmable Gate Array (FPGA), Complex Programmable Logic Device (CPLD), and Programmable Array Logic (PAL).
The chips may be designed and sent to semiconductor foundries for fabrication. The fabricated chips are assembled with other components and deployed to a target product. During these processes, individuals or organizations may have unauthorized access to “soft” or “hard” intellectual property (IP) of the chips. The soft IP is represented by computer code, such as hardware description language, to describe abstract behavior or structure of the chips. This code is used to synthesize a real or hard IP of the chips. The individuals or organizations may include, but not limited to, chip foundries, integrated device manufacturers, contract manufacturers, parts distributors, and system integrators.
System designers may put safeguards into place to attempt to protect their designs from unauthorized access. However, a motivated attacker can often discover these safeguards and disable them via software or hardware manipulation. Unauthorized access may result in hardware piracy. Hardware piracy is the process of taking a piece of hardware, and using it in ways that it was not intended or replicating the systems or chips and selling them as “genuine” articles. For example, the chips may be pulled from their original circuit board and reused in different systems. The hardware piracy is dangerous for a number of reasons including a safety reason. That is, the reused chips may not be what a system integrator expects, and may therefore fail at critical times.
In order to counter the unauthorized access and hardware piracy, the original chip or system design may be modified with a locking system prior to fabrication. For example, there is a technique of inserting XNOR and XOR gates into a netlist to prevent piracy. This scheme, however, is vulnerable to reverse engineering if the netlist is compromised, as it is reasonably easy to identify the XNOR and XOR gates and the configuration logic that ties them all together. By writing a “chain walker” program, all interconnected XNOR and XOR insertions can be identified and subsequently removed, returning the logic to its original and unprotected state.
As such, the conventional safeguards do not address a fundamental aspect of the unauthorized access and hardware piracy problem. If an adversary can unlock the design, any number of counterfeit parts can be used in ways not intended by the original designer. Therefore, more efficient safeguards are needed to protect electronic systems from unauthorized access and hardware piracy.
An exemplary embodiment provides efficient safeguards for protecting electronic systems from unauthorized access and hardware piracy. The exemplary embodiment may replace selected logic of a design with reconfigurable hardware so that the design cannot be easily reverse-engineered. The reconfigurable hardware is configured by configuration data that is separately saved and loaded at system run-time. The exemplary embodiment uses an encrypted configuration data to prevent an attacker from deriving the portion of the design that is realized in the reconfigurable hardware. The bits of the configuration data may be randomly permuted to make reverse engineering more difficult.
In one aspect, a method of designing an electronic system is provided to protect the electronic system from unauthorized access and hardware piracy. The method includes describing the electronic system in a first design and replacing a portion of the electronic system with a reconfigurable module to generate a second design. The reconfigurable module includes a reconfigurable logic block and a configuration block for storing configuration data. The method also includes encrypting configuration data and saving the encrypted configuration data separately from the reconfigurable module. The reconfigurable logic block is configured to correspond to the portion of the electronic system in the first design when the configuration data is loaded in the configuration block.
In another aspect, an electronic system is provided that is protected from unauthorized access and hardware piracy. The electronic system includes a reconfigurable module including a reconfigurable logic block and a configuration block for storing configuration data. The reconfigurable logic block is configured to correspond to a portion of the electronic system when the configuration data is loaded in the configuration block. The electronic system also includes a memory device saving the configuration data separately from the reconfigurable module. The configuration data is encrypted and saved in the memory device.
In still another aspect, an apparatus is provided for designing an electronic system protected from unauthorized access and hardware piracy. The apparatus includes a storage device storing a first design of the electronic system. The apparatus also includes a processor configured to replace a portion of the electronic system with a reconfigurable module to generate a second design. The reconfigurable module includes a reconfigurable logic block and a configuration block for storing configuration data. The processor is also configured to encrypt configuration data and save the encrypted configuration data separately from the reconfigurable module. The reconfigurable logic block is configured to correspond to the portion of the electronic system in the first design when the configuration data is loaded in the configuration block.
The above and other aspects, features and other advantages will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
An exemplary embodiment provides an efficient method and apparatus for preventing electronic systems from unauthorized access and hardware piracy. In the exemplary embodiment, a system designer may design an electronic system and replace a part of the design with reconfigurable hardware that can be programmed with an encrypted configuration. The exemplary embodiment addresses the data-theft problem by encoding key elements of the design inside reconfigurable hardware. The reconfigurable hardware can emulate a number of functions depending on its configurations, and only one of the configurations is proper for the design. Therefore, the exemplary embodiment not only can protect against information theft, it can also prevent unauthorized access and use, as the chip output can be matched only when a corresponding encrypted configuration is loaded.
An exemplary embodiment may assign a unique key to the reconfigurable hardware so that the reconfigurable hardware cannot be used without a configuration encrypted with the key. Therefore, an electronic system may include reconfigurable hardware and a matched configuration that is loaded when the system is powered on. As such, the exemplary embodiment may provide a powerful barrier to piracy, as the encrypted configurations serve as a valid and inextricably linked fingerprint for both the device and its functionality. The combination of encrypted configuration and logic replacement with reconfigurable hardware creates an efficient defense against Intellectual Property (IP) theft and unauthorized use. Even if a netlist is compromised and even if the replaced logic structures are identified, the original logic function cannot be gleaned from the netlist or logic structures.
The exemplary embodiment is applicable to Application Specific Integrated Circuit (ASIC) chips as it is implemented on Programmable Logic Devices (PLDs). The PLD system is difficult to protect because of the relative ease with which the configurations of the devices can be stolen and subsequently reused. In the exemplary embodiment, however, configuration data or information is separately stored and used to configure the reconfigurable hardware at system run-time. Moreover, each PLD system can be made to be unique such that even if one system is compromised, the others are still protected.
Design application or tool 128 may enable system designers (“users”) to design an electronic system, such as an integrated circuit (IC). The users may be able to design an electronic system that is protected from unauthorized access and hardware piracy. Design tool 128 may generate a design 130 of the electronic system in different levels. For example, the design 130 may describe the electronic system in computer code, such as hardware description language (HDL). HDL is a human readable language used to define hardware circuits. The design 130 may also describe the electronic system in a netlist level. An exemplary design flow using design application or tool 128 will be described below with reference to
The human-readable RTL code is converted into a structural netlist including Boolean primitive functions (OR, NOR, XOR, AND, and others) interconnected by wires (step 206). Design application or tool 128 interprets the RTL code and performs optimizations to convert the design as specified in the RTL code into the structural netlist. This design is now timing-optimized, in that a system built in the way specified in the structural netlist will likely operate at the target design frequency. The structural netlist is used to implement the design through either the ASSP/ASIC (step 208) or FPGA (step 210).
An exemplary embodiment provides protection of the design in the RTL code and/or post-synthesis netlist level. The exemplary embodiment may replace critical logic of the design with varying types of reconfigurable hardware in the level of the RTL code generated in step 204. Design application or tool 128 may parse the RTL code and determine which sets of original RTL can be replaced. The exemplary embodiment may also or alternatively replace critical logic of the design with varying types of reconfigurable hardware in the structural netlist level generated in step 206. Design application or tool 128 may parse the structural netlist and determine which sets of the structural netlist can be replaced.
This replacement can be done in as many places as necessary in the design to achieve security goals. This replacement can be carried out automatically by analyzing the design and factoring in timing and area requirements. It may be necessary to factor in timing and area requirements as the reconfigurable hardware consumes more area and adds logic to timing paths. For example, if a circuit is intended to operate at 250 MHz (clock period is 5 ns) and original logic has a slack (e.g. timing margin) of 0.5 ns, then during the replacement process, the delays introduced by the reconfigurable hardware logic needs to be less than 0.5 ns.
The replacement process may be repeated multiple times to produce a unique output for each system. The unique output provides additional protection in that no two systems are alike. Therefore, hacking one system may not result in the others being compromised. This is most applicable to PLDs, where multiple RTL or netlist sources can be leveraged without significant cost penalties. For an ASIC, only one version of the replacement output may be used to manufacture the ASIC.
In an exemplary embodiment, the configuration is encrypted and saved separately from RSM 400 and loaded in configuration block 420 at system run-time. The configuration may be saved on the same chip or system board. This feature of a configuration enhances the protection of RSM 400 from unauthorized access and hardware piracy. One of ordinary skill in the art will appreciate that RSM 400 is one example and other embodiments may include more complex logic functions, or programmable state machine logic.
Using multiple forms and types of reconfigurable logic blocks combined with the variation provided through the permutation block 530 creates a unique version of configuration data, while at the same time uniquifying the logic which makes reverse-engineering much more difficult. RSM 500 can be built to have selective inversions in the configuration data. By using the inversion, one can selectively and randomly invert the configuration bit outputs on a module-by-module level. Thus, even a sophisticated attacker who can serially shift out the plaintext configuration bits may not be able to decipher them. The only way to decipher the configuration data is to probe each and every input to the reconfigurable modules in the design, which is prohibitively difficult.
The RTL code is searched for candidate primitives and a specified subset of candidates is replaced that meet timing constraints. Once candidates are selected, the candidate logic is removed, and replaced with a suitable RSM. This replacement process involves disconnecting signals, removing candidate logic instances, inserting RSM instances and reconnecting previously disconnected signals (step 630). At this point, the access mechanism is also inserted and connected to the RSMs so that they can be loaded with the proper functional configurations. Next, logic synthesis is performed (step 640).
Setting constraints helps avoid spurious timing errors caused by configurations. For example, if the RSM includes both a combinational and sequential path to its output, the appropriate configuration, which defines which of those two paths will be used under mission operation should be defined in the constraint file. Otherwise if the original candidate logic is purely combination and it is replaced with an RSM that also includes a DFF (sequential circuit) and if the synthesis tool achieves register to register timing using the RSM DFF, the combination path that includes additional combination logic elements that introduce additional propagation delay may not meet the specified timing requirements. The following code comparison shows how input RTL can be modified to replace a state machine with an RSM:
First, the netlist is analyzed (step 710) to determine candidates for replacement (step 720). Since STA has already been performed on the netlist, the original STA database of marginal timing paths (step 760) can be used to avoid replacing logic that is part of a critical timing path. The candidate structural logic is then removed and replaced by a structurally defined RSM (step 730). At that point, Static Timing Analysis can again be run to verify that the system still runs at the target clock frequency (step 740). If the system fails this test (step 750), the process can begin again, though RSMs with passing timing characteristics need not be replaced.
In the exemplary embodiment, an access mechanism involves an encrypted configuration data set decrypted by decryption block 860 and distributed via a daisy-chained access mechanism. The access mechanism of the exemplary embodiment is resistant to attack by invasive means, such as disassembly of the system or chip. Moreover, in the event that a system or chip is compromised, the effect is limited to the particular system or chip that is attacked. That is, although a system or chip is attacked, it is limited to the attacked system or chip and does not provide useful information on other systems or chips. One of ordinary skill in the art will appreciate that the daisy-chained access mechanism is one example and other embodiment may employ a different type of the access mechanism, such as a direct “star”-like topology.
For example, the original design includes a 2 input AND gate, as depicted in
Exemplary embodiments are described above. It is, however, expressly noted that these exemplary embodiments are not limiting, but rather the intention is that additions and modifications to what is expressly described herein also are included within the scope of the present implementation. Moreover, it is to be understood that the features of the various embodiments described herein are not mutually exclusive and can exist in various combinations and permutations, even if such combinations or permutations are not made express herein, without departing from the spirit and scope of the present implementation.
Since certain changes may be made without departing from the scope of the present implementation, it is intended that all matter contained in the above description or shown in the accompanying drawings be interpreted as illustrative and not in a literal sense. Practitioners of the art will realize that the sequence of steps and architectures depicted in the figures may be altered without departing from the scope of the present implementation and that the illustrations contained herein are singular examples of a multitude of possible depictions of the present implementation.
This application claims priority to provisional U.S. patent application No. 61/251,252 filed Oct. 13, 2009. The content of the aforementioned application is hereby incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
61251252 | Oct 2009 | US |