Will custom silicon increase security risk?

Close-up of a microprocessor silicon die

Since the 1970’s, the explosion in computing, and our knowledge on how to secure it, has been driven by the mass-market manufacturing of general purpose semiconductor devices - but this is now changing and what will this change mean for security?

General Purpose Technology

Bresnahan and Trajtenberg 1 proposed that “technical progress and growth appear to be driven by a few ‘General Purpose Technologies’ (GPT’s), such as the steam engine, the electric motor, and semiconductors”. These are products that have a general applicability to solve different technical problems. Familiar examples are the microprocessors found in our PCs and cloud servers or the microcontrollers powering our embedded systems and IoT devices.

The success of these microprocessors and microcontrollers is due to the ability to manufacture the same product for many diverse applications at a huge scale, resulting in a high level of manufacturing efficiency and low cost. This business model provides the potential for enormous economic growth as long as the general-purpose capabilities of these devices can keep up with the advancing end-use applications that need them.

Since the 1970’s, our ability to miniaturise electronics has improved exponentially, resulting in the famous “Moore’s Law” where “the number of transistors in a dense integrated circuit (IC) doubles about every two years”. This doubling of the number of transistors, along with technological improvements in design and the design tools, has also resulted in an exponential growth in computing power. This in turn allowed the processors to keep up with the end-use applications, fueling their growth as part of a virtuous cycle.

The move to Specialist Technology

Bresnahan and Trajtenberg also predicted that as GPTs start to reach the end of their lifecycle and their progress slows, that other technologies will start to fill the gaps, breaking this virtuous cycle and leading to market fragmentation. Moore’s Law, for the time being, is still being maintained. However, the financial cost of moving to smaller and smaller semiconductor transistor geometries (from 10 microns in 1971 to 5 nanometers in 2021) is also increasing exponentially, ultimately slowing growth. GPTs also suffer from being “a Jack of all trades, but master of none” and in the age where power consumption is critical and end-use cases are becoming increasingly compute-intensive and more specific, then the extra silicon area used for general purpose applications starts to become a liability.

Specialist technology computing is slowly becoming mainstream again, as it was before the rise of the GPT processors. This can be seen in products such as Nvidia GPUs or Graphcore AI chips. These chips have huge compute capabilities but much more targetted application and their specialism results in much better power consumption, something that would be impossible to reproduce cost-effectively with general-purpose processors. It can also be seen in the recent move by Apple to produce their own M1 chip to power their next generation of computer products and provide commercial advantage over their competitors who are using GPT such as Intel processors. The M1 contains a general purpose CPU but also special-purpose GPU and neural network (AI) hardware accelerators and is showing impressive performance gains over traditional general-purpose processors. They’re also not alone. Other tech giants such as Google, Amazon, Baidu, Alibaba and Facebook are all developing their own chips to give themselves a competitive advantage as the GPT processing capability slows. Companies such as SiFive have also been born to specialise in domain-specific chips.

The implications for security

Software and hardware security have evolved along with the rising capabilities of the GPT devices. Although we’re still making mistakes (such as the Spectre attack), there has been significant progress on security hardening all devices from PC processors to embedded processors, with capabilities such as secure boot, isolated security environments including Intel SGX and ARM Trustzone, and hardware cryptographic acceleration amongst other features.

These security features have evolved because we understand the capabilities of these GPT devices, how they are attacked and how to secure them. It would be naive to think that complex specialist compute devices won’t also suffer from security vulnerabilities, some of which may be specific to the nature of the device.

Specialist devices may contribute to the further fragmentation of the hacker community beyond the current desktop/cloud / embedded system or hardware / software split, and also reduce the risk of attack from widely-deployed general attacks requiring low skill levels. However, while it may reduce the number of attackers capable of targetting a specialist device, if the device processes valuable data then it will still inevitably become a target and attacker specialisation may even lead to a more technically sophisticated attacker-defender arms race. There may also be the need for attackers with specialist skills to co-operate, better suited to organised groups, although loose co-operation over the internet will likley also continue. The interaction between specialist hardware blocks may also open up completely novel types of attacks at the boundaries, following the mantra coined by Graff and van Wyk 2 that “in computer security, the sum of parts is often a hole”.

Unless these devices are designed and developed with security being considered from the start, and with an open mind on the advanced attacks likely to target them, then we can expect to see some novel and potentially very damaging attacks in future.

How can we help?

If you want independent help to secure your hardware (or software), then please contact us through the web contact form or email us.

  1. Bresnahan, T.F. and Trajtenberg, M., “General purpose technologies ‘Engines of growth’?”, Journals of Econometrics, Volume 65, Issue 1 (Jan. 1995), pp 83–108; DOI:10.1016/0304-4076(94)01598-T ↩︎

  2. Graff, M. and van Wyk, K., “Secure Coding: Principles and Practices”, O’Reilly Media, ISBN-13 978-0596002428 ↩︎