By: Saman Sadr, President, Neuron IP & Richard Lin, Digital Design Lead, Neuron IP
The Importance of Security in Upcoming Chiplet Systems
In the ever-evolving landscape of semiconductor technology, the integration of chiplets and multi-die ecosystems has emerged as a groundbreaking paradigm shift. This revolution promises greater flexibility, scalability, and efficiency in designing and manufacturing complex electronic systems. However, this transformative leap forward also brings with it a host of new challenges, with none more critical than ensuring the security of these interconnected components. As chiplets and multi-die ecosystems become increasingly prevalent in applications ranging from data centers to consumer electronics, and from AI/ML and LLM’s (Large Language Models) to 5G and Automotive, the need for robust security measures to safeguard against potential threats has never been more pronounced. Balancing innovation and security in this dynamic environment pose a formidable task for industry leaders and researchers alike, demanding innovative solutions to address the intricate complexities of protecting sensitive data and intellectual property within these intricate and interconnected architectures.
Furthermore, in the context of multi-die heterogeneous System-in-Package (SiP) configurations, an additional layer of complexity emerges. These systems often require data communication with external sources or intermediate dies, making it imperative to recognize that the security challenges extend beyond the confines of individual chiplets. In many cases, data flows between different dies, necessitating secure channels for information exchange. As data traverses these externally facing or intermediate dies, it becomes vulnerable to interception, tampering, or other malicious activities, thereby accentuating the critical importance of securing not only the individual chiplets but also the entire communication infrastructure within these SiP ecosystems. This intricate interplay between security and data communication underscores the need for a comprehensive approach that encompasses the entirety of the multi-die system, ensuring that vulnerabilities at any point in the data pathway are rigorously addressed.
Figure 1 – System-in-package (SiP) multi-die communication sources (Source: Neuron IP)
To tackle these pressing security concerns, the open specification – UCIe™ (Universal Chiplet Interconnect Express) – has taken proactive measures by establishing a dedicated sub-working group focused on enhancing the security aspects of chiplet and multi-die ecosystems. This collaborative effort within the UCIe Consortium aims to define robust security management and best practices tailored specifically to the unique challenges presented by these advanced architectures. By fostering collaboration between industry experts and stakeholders, this Security sub-working group endeavors to provide the semiconductor industry with the guidance and solutions needed to fortify the security of data communication within SiP environments, thus ensuring the continued evolution of these innovative technologies while safeguarding against potential threats.
The Current Security Market and Impact
It’s estimated that a cyber-attack occurs somewhere in the world every 39 seconds and cost the global economy $8 Trillion in 2023 [1]. That’s a scary thought considering our devices generate about 330 million terabytes of data per day worldwide [2]. Data security has grown to affect almost every sector today - medical records, infrastructure, commerce, and government agencies, as well as everyday examples like account passwords, mobile devices, and our vehicles. Regardless of the contents or destinations, our networks and devices must fundamentally prioritize security; Especially in an environment where technology and malicious techniques are constantly evolving. In 2020, the ISACA UK found that infected routers accounted for 75% of all IoT attacks and in the first half of the year, over 36 billion records were leaked. One final incredible statistic about the importance of security, 93% of organizations had more than 1 security intrusion in the past year, and 78% experienced more than 3 intrusions [3].
Figure 2 – Data from Top 10 Security Trends by ISACA UK [3].
Security by Software or Hardware?
Due to the exponential increase in data generation, encryption and security in software alone adds an overwhelming overhead to our operating systems, computers, cars, and edge devices. A common solution is to use dedicated hardware security processors and accelerators to use hardware for specific tasks and to provide an accessible toolkit to the upper software layers. To quantify the difference, a 2018 paper by Utsav Banerjee, MIT analyzed Public-Key Encryption and found hardware is 500x faster, at 1/400th the power, and 1/10th the memory [4]. Kingston Technology reported similarly, with hardware encryption taking 1 second versus software encryption requiring 10 minutes.
Figure 3 – Software VS Hardware Encryption - Data Security Kingston Technology [5].
Many systems today include dedicated hardware suites and coprocessors to offload any security-related overhead. Several different names are used for these blocks – Hardware Security Module, Root of Trust, Trusted Platform Module, Secure Enclave, and many more. These blocks provide hardware acceleration for common security tasks – often an isolated trusted execution environment, secure boot & storage, side-channel obfuscation, authentication, and encryption. For interface connections like PCIe® and UCIe, it is critical to operate at the line/data rate to avoid adding bottlenecks and additional overhead.
Security Challenges in SoC & Chiplet Systems
Integrating more logic onto one package reduces the number of external interfaces that could lead to potential attackers, but both multi-die chiplet systems and monolithic chips share many security challenges and attack vectors which are constantly evolving. The most common attacks will steal secrets, encryption keys, unsecured data, or any information to gain access to other systems. To achieve these goals, there are numerous attack vectors, such as:
Side-channel attacks, which focus on analyzing power signatures, timing, or cache accesses, among other information which can inadvertently and indirectly expose algorithms, operations, or data contents.
Data remanence attacks will capture information moments before it is overwritten, deleted, or powered off – even the clean up of data must be secured.
Shared Memory Stacks & Common Bus Protocols, if not properly secured can also expose internal secrets and data.
Stealing secrets is only the tip of the iceberg, as attackers can intend to cause a denial of service, locking up a chip and freezing operations. Additionally, the silicon supply chain and manufacturing of chips is also important to secure. Many vendors and stages are involved in the fabrication of chips, which can lead to tampering, spoofing, IP theft, and reverse engineering. These attack vectors are evolving and must be carefully considered when architecting a specification and subsequent implementation, like in the UCIe specification.
The below figure provides an extreme example system-in-package which integrates a wide variety of available chiplet accelerators, memory, and common access protocols. In a monolithic system, each of these functions would be on separate packages and line-cards. Each of the connections (like between Compute and GPU), would be exposed via motherboard traces and need to be secured. With a chiplet approach, these functions can be integrated into one package with UCIe die-to-die communication links, where signals do not leave the package and are inherently more secure, but due-diligence is always an important aspect. Through UCIe, chiplets can also create a management structure, negotiate, and exchange security capabilities through a standardized and well-defined communication protocol.
Figure 4 – System-in-package example integrating a variety of Chiplet accelerators and memory with multiple access protocols which must be secured. (Source: Neuron IP)
The central IO chiplet contains high speed SerDes protocols for rapid off-chip communication, which can be secured by protocols like Ethernet MACSEC and PCIe IDE. Around the diagram there are many in-roads and out-roads, all of which need to be carefully considered and secured. Access protocols like the Advanced High-performance Bus (AHB), Direct-Memory-Access (DMA) ports, sideband channels, and test ports can allow users to change register settings, memory contents, and even internal states of the design. Usage must be authenticated and secured on a case-by-case basis without a major performance hit.
From high level security architecture perspective, various solution vectors can be considered ranging from ensuring each inner (or buried) die in the multi-die system is secured independently and is allocated a secure communication channel – this can be resource and latency intensive; or alternatively, first establish a security firewall at the perimeter (i.e. I/O) dies of the SiP, and then allow the inter-die data communication occur with the inner dies only once the Root of Trust is established. The later mandating the need for a security management ‘die’ function in the SiP. One can expect the complexity of the security architecture for the SiP’s to increase dramatically, as the heterogeneous systems themselves grow in the number of dies and complexity hosting different types of processing functions and accelerators, and various types and levels of memory and storage functions ranging from NVM’s to SRAM’s and multi-level cache.
In conclusion, as chiplets and multi-die ecosystems continue to redefine the landscape of semiconductor technology, the challenges and significance of security cannot be overstated. Safeguarding the integrity, confidentiality, and availability of data in these intricate SiP configurations is not only crucial for protecting sensitive information but also for enabling the widespread adoption of these advanced technologies. The efforts of organizations like the UCIe Consortium and its members reflect a proactive approach towards addressing these challenges head-on. As we move forward into a future where SiP ecosystems host a myriad of processing functions, accelerators, and memory types, it becomes evident that there will be an emergence of security enabled chiplet platforms which offer capabilities to unlock the full potential of chiplets and multi-die systems.
References
[1] “Cybersecurity Trends in 2023” Inclusion Cloud. https://inclusioncloud.com/insights/blog/cybersecurity-trends-2023/
[2] “Data growth worldwide 2010-2025” Statista https://www.statista.com/statistics/871513/worldwide-data-created/
[3] R. Bhardwaj, “Top 10 Cybersecurity trends for 2023” Network Interview. https://networkinterview.com/cybersecurity-trends/
[4] L. Hardesty, “Energy-efficient encryption for the internet of things” MIT News. https://news.mit.edu/2018/energy-efficient-encryption-internet-of-things-0213
[5] “Data Security – Kingston Knowledge Center” Kingston Technology. https://www.kingston.com/en/blog/data-security