Design Article
Anti tamper real time clock (RTC) - make your embedded system secure
Mohit Arora, Prashant Bhargava, Stephen Pickering, Freescale Semiconductor
9/10/2009 1:27 PM EDT
Detecting tampers
external to the System:
There can be several attacks that a system may have to face from external world. These may include damaging the casing of the system, alteration of certain signals, etc. These intrusions can be monitored by Anti-Tamper Switches in the System. Since these anti-tamper switches need to be monitored at all the time, they need to be powered by battery (RTC) supply.
These anti-tamper switches can be prone to noise and can cause false tamper conditions. Thus it is important to filter out these noises to prevent incorrect triggering.
Figure 2: External Tamper Detection
The tamper event should be one of the sources of interrupt to the CPU. CPU on the event of tamper can take necessary actions like erasing any secure information, generating system reset, storing the tamper event in EEPROM or battery backed registers and finally clearing the interrupt flag. CPU response to a tamper event is generally application specific.
It is important to note that once tamper signal is asserted, it should not be cleared unless both the main(VDD) as well battery supply(VBAT) is removed. When supply is reconnected tamper should be the default condition and should only be reset by code within the processor. For example in electricity meter, this is normally done during meter calibration.
An inherent disadvantage of using open or passive anti-tamper switches is that with passage of time these switches tend to get oxidized and when a tamper occurs these switches remain open due to the oxidation and thus a tamper event may never be indicated to the system. This is overcome by the Active Tamper Detection Technique described in next section.
Active Tamper Detection:
Active Tamper detection introduces a feedback loop providing more advanced method of monitoring external tampers and also ensuring extended life of anti-tamper switches. Unlike passive tampers that are input, active tamper mechanism includes pair of one of more input/output switches. Chip outputs a known sequence (fixed or generated by Linear Feedback Shift Register) on the output anti-tamper switch while monitoring the input tamper switches for the same sequence (as shown in Figure 3) As long as the sequence matches, no tamper is indicated. When the sequence skips a value or is incorrect, either due to an external tamper event or fault in switch, tamper is activated.
Figure 3: Active Tamper Detection
(Click on image to enlarge)
There can be several attacks that a system may have to face from external world. These may include damaging the casing of the system, alteration of certain signals, etc. These intrusions can be monitored by Anti-Tamper Switches in the System. Since these anti-tamper switches need to be monitored at all the time, they need to be powered by battery (RTC) supply.
These anti-tamper switches can be prone to noise and can cause false tamper conditions. Thus it is important to filter out these noises to prevent incorrect triggering.
Figure 2: External Tamper Detection
The tamper event should be one of the sources of interrupt to the CPU. CPU on the event of tamper can take necessary actions like erasing any secure information, generating system reset, storing the tamper event in EEPROM or battery backed registers and finally clearing the interrupt flag. CPU response to a tamper event is generally application specific.
It is important to note that once tamper signal is asserted, it should not be cleared unless both the main(VDD) as well battery supply(VBAT) is removed. When supply is reconnected tamper should be the default condition and should only be reset by code within the processor. For example in electricity meter, this is normally done during meter calibration.
An inherent disadvantage of using open or passive anti-tamper switches is that with passage of time these switches tend to get oxidized and when a tamper occurs these switches remain open due to the oxidation and thus a tamper event may never be indicated to the system. This is overcome by the Active Tamper Detection Technique described in next section.
Active Tamper Detection:
Active Tamper detection introduces a feedback loop providing more advanced method of monitoring external tampers and also ensuring extended life of anti-tamper switches. Unlike passive tampers that are input, active tamper mechanism includes pair of one of more input/output switches. Chip outputs a known sequence (fixed or generated by Linear Feedback Shift Register) on the output anti-tamper switch while monitoring the input tamper switches for the same sequence (as shown in Figure 3) As long as the sequence matches, no tamper is indicated. When the sequence skips a value or is incorrect, either due to an external tamper event or fault in switch, tamper is activated.
Figure 3: Active Tamper Detection
(Click on image to enlarge)
|
|
|
|
|
Navigate to related information
RajeevVats
9/13/2009 12:30 AM EDT
Good
Sign in to Reply
jzwatches
12/14/2012 3:02 AM EST
Security has indeed fast become an issue with many products and appliances, from computer, electricity to luxury items. Many of these products are essential to our daily lives and we can’t live without them. Imagine the chaos and pandemonium that could result from the failing of such products and appliances. While products these days already have anti-tamper switches in their applications to prevent tampering, we must also keep a vigilant watch and ensure that all the necessary precautions are taken to prevent any possible attacks. - http://www.jzandf.com
Sign in to Reply