SAN MATEO, Calif. With so much intellectual property being crammed into fewer and fewer ICs, the threat of hackers or rogue rivals tinkering with or stealing the code is prompting more companies to ponder possible security holes in their designs and how to sew them up.
Experts say there's no way to stop a chip's security wall from being breached given the right expertise and equipment. Indeed, Chipworks, which specializes in reverse-engineering analysis of ICs, has yet to come across a device or coding scheme that has stumped its engineers.
"There's always a way to figure it out, it just depends on the amount of time and effort you want to put into it," said Danka Kurjanowicz, manager of engineering services for the Ottawa-based company. Depending on how sophisticated the design is, Chipworks charges anywhere from $10,000 to millions to reverse-engineer an IC.
Short of making a chip fail-safe, there are ways to prevent all but perhaps the most sophisticated hackers from running away with a company's family jewels, observers said.
To that end, FPGA vendor Actel Corp. has taken up the cause of plugging security holes in programmable-logic devices. It's a topic that warrants more discussion than has been aired so far, especially as FPGAs take on bigger jobs in systems, Actel executives said. "A couple of years ago, because of the relative capacity of FPGAs, there were fewer gates and [users] didn't care as much about security," said Dennis Kish, vice president of corporate marketing for the Sunnyvale, Calif., company. "Now the special sauce is moving from the ASIC to the FPGA, and not having a secure solution for the FPGA is a real threat to people."
Hoping to capitalize on those concerns, Actel last week rolled a new version of its flash-based ProASIC-plus that includes encryption technology. The device can be configured so that it's accessible only through a special 263-bit key; or it can be locked down permanently so that all data coming in or out is blocked. "You can essentially throw away the key after it's done," Kish said.
Actel's goal is to give FPGA designers more reason to switch from the SRAM-based FPGAs offered by companies like Altera Corp. and Xilinx Inc. to its own flash-based products, which Actel says are inherently more secure even without the encryption technology. SRAM-based devices, which make up the lion's share of the PLD market, are generally higher in density and faster than nonvolatile FPGAs.
But when it comes to security, the SRAM-based FPGA has an Achilles' heel. Such devices require a separate PROM memory, which stores the configuration bits that are sent to the FPGA upon power-up. The configuration bits are thus exposed en route to the FPGA, and can be captured using a probe. Nonvolatile FPGAs based on flash technology, on the other hand, are self-configuring and do not require a separate PROM.
"With an SRAM device, all you really need is a technician, a probe and a programmer," said Julia Elvidge, vice president of marketing and sales at Chipworks. "Somebody can set themselves up fairly inexpensively" as a code thief. To break into a flash-based FPGA, a hacker has to lift the cover and probe the metal layers and logic circuitry. This is generally a more time-consuming process and requires sophisticated techniques, such as the use of a focused ion beam.
What's more, the programming and logic circuitry are intertwined, making it more difficult to discern the bits. "From an engineering point of view, they're all transistors. You're not always sure if it's a logic gate vs. the programming circuitry," Chipworks' Kurjanowicz said.
So far, talk of security holes in SRAM-based FPGAs has not been a serious concern at leading FPGA vendor Xilinx. The issue has been tossed around for at least 10 years, but the company reports that demand for highly secure FPGAs is still too low to justify flash-based parts for anything other than low-density CPLDs. Xilinx has tried to assuage customer fears of hacking by incorporating triple-DES encryption in its high-end FPGAs, which the company says is sufficient for most customers.
Krishna Rangasayee, senior manager for strategic solutions at Xilinx, reckons there's a $40 million market opportunity for highly secure FPGAs, but that's just 2 percent of the total market for PLDs. Thus, the company has no plans to depart from its SRAM-based road map. "The return on investment doesn't justify it," Rangasayee said. "Maybe it makes sense for Actel, but from our perspective it doesn't."
For its part, Actel will keep hammering away at the security issue in a Web site set for launch later this month.