Protecting data and IP with flash memory
May 24, 2017
Flash memory devices often do more than just store data - they offer specific features to secure data in embedded designs. Here's an overview of what...
Given the incredible number of potential threats to any system, it’s not surprising that designers need a way to protect system integrity. What might be surprising is that within its very bits and blocks, flash memory holds the key to protecting firmware and even hardware designs from attacks – either a deliberate overwrite from an hacker or an accidental corruption during service installation.
Flash devices offer several data protection measures, each with its own advantages for read, write, or erase protection. The security options add layers of security to slow down would-be hackers and thieves. These layers also provide protection from unintentional modifications. Some flash security features don’t add cost to the final design, and while the strongest flash protection features might cost more than standard flash, they are more affordable than a non-flash hardware encryption engine, hidden operations, authenticated operations, or software encryption applications.
Not all manufacturers or devices from the same manufacturer offer the same features. Designers must consider factors such as built-in security options, performance, density, size, and cost when selecting a flash device for the final application.
Finding the right solution
Evaluating the options begins with identifying the problem. Some key points to consider:
· Establish what must be protected amid the bits, data, and code. For example, a designer might need to protect electronic system serial numbers, security keys, boot code, or financial information used for services access, such as pay TV.
· Determine whether those bits, data, or code are likely to be affected through a software or physical disruption. A software attack could come from the Internet or a system application, for example. A physical attack could be caused by removal of a flash device from a printed circuit board.
· Identify whether the threat is intentional. Unintentional alterations like those caused by buggy software are typically easier to prevent since the cause of the problem is repeatable and not elusive. If the threat of attack is from a hacker or thief, quantify how much effort the attacker is willing to make. The more time and money a hacker or cloner is willing to spend affects how much security the design will require, as depicted in Figure 1.
A few flash devices offer password access features that slow thieves down by creating barriers that make the design a less desirable target for copying or cloning. IP thieves need to copy system data quickly and easily. Password access adds time, cost, and effort to low-overhead cloning operations.
Password access locks either the entire array or a select number of blocks in the main array from program erase or read access. Each block can be set individually to the desired protection level. Before the system leaves the factory for the end customer, a 64-bit password must be stored in the password area of the flash device and a matching password must be programmed into the system microcontroller (MCU) or other hidden storage.
When the system receives a command to read, modify, or erase data in the protected blocks, the system processor looks for a match between the number in the MCU and the flash device. If the pass code is not valid with both the MCU and the flash device, the data cannot be read or modified. If the system detects a matching pass code, individual blocks can be read or modified. Depending on the flash device, designers can choose from various protection modes including read, modify, and substitution prevention.
Password protection: Service theft deterrent
Password-based read protection is a simple, cost-effective way to thwart attempts to distribute pirated flash chips that enable access to premium services. Duplicated flash chips provide premium services to users who don’t pay for them, resulting in lost revenue for the service provider. But if the designer utilizes password protection on the flash device, the pirate is stuck with inoperable chips.
Even if the thief can bus snoop, discover the password, and copy the data from the chip, the 64-bit password in the pirated chip will not match the MCU in the system into which it is inserted, again making the chip inoperable.
Password protection: IP cloning and copying deterrent
In the case of cloning, IP thieves need to replicate and produce a design before an updated version of the original makes the clone obsolete. Flash memory password protection can create a significant enough delay to make the cloner seek an easier target because the flash protects the system’s hardware signature.
A flash device with a 64-bit password will help limit access to legitimate sources. Without the password, an IP cloner who uses a prom programmer to read the flash chip will read back only zeroes.
The delay gives the manufacturer more time in the market before the clone can compete for revenue, creating enough delay for the original manufacturer to refresh the design before the cloner has an opportunity to produce a viable product. This built-in flash feature offers a highly cost-effective method to counter the revenue impact of IP loss.
Encrypted password access: Higher-level IP security
Whereas a 64-bit password slows down a cloner or service thief, an encrypted password adds a significantly higher level of data protection.
The passwords that pass from the flash and the MCU to the processor are encrypted. The processor deciphers the passwords using the algorithm and confirms a match. A bus snooper, on the other hand, can only read the encrypted password; it can’t decipher it. Without the unencrypted password, the flash chip is unreadable and the IP is protected.
Flash devices with an encrypted password typically cost more than those that do not because the algorithm is implemented on silicon, which adds to the component cost. However, the cost of the flash chip is nominal compared to lost service revenue.
Block-locking software protection
Volatile and nonvolatile block-locking features use software commands to lock and unlock blocks, protecting data from inadvertent modification. In volatile block locking, bits in a volatile array are mapped to main memory array blocks. These Volatile Protection Bits (VPBs) can be modified individually and set or cleared as often as needed. However, they can only protect blocks that are not locked with nonvolatile array bits. When the system power is cycled or the hardware is reset, the VPBs revert back to their original unlocked or locked state.
Nonvolatile block locking keeps blocks locked or unlocked as defined by the designer, even after a power cycle or reset. A NonVolatile Protection Bit (NVPB) is mapped to each block and can lock each block individually. NVPB can be cleared through a clear bits or erase command.
Nonvolatile block locking can be used to ensure blocks remain locked against inadvertent overwrites even after an unexpected power cycle or reset.
A range of protection
Flash security features (summarized in Figure 2) offer an affordable, secure alternative to protect IP, content, data, or system integrity and can vary by manufacturer and by device. From block locking to advanced encrypted password access, the key is to find the feature that addresses the type and source of a potential attack.
Bill Stafford is director of segment marketing for the Embedded Business Group at Micron, where he develops application strategies and product requirements for the embedded roadmap. Prior to working with Numonyx (recently acquired by Micron), he worked at Intel, where he spent 12 years in flash marketing and 10 years in the areas of field quality, product quality, and product engineering. Bill also repaired, maintained, and developed test procedures for aircraft electronics for the U.S. DoD.