Ai must be protected at the silicon level | Heisener Electronics
Contact Us +86-755-83210135-818
Language Translation

* Please refer to the English Version as our Official Version.

Ai must be protected at the silicon level

Technology Cover
Post Date: 2024-03-13, Micron Technology Inc.

The idea of incorporating security into applications is not new in the software world, nor are security features in semiconductor technologies such as memory. But the value of data, especially in artificial intelligence (AI) workloads, means that hardware-supported security is getting more attention.

Many networking and memory technologies have built-in security features - the "S" in SD cards stands for security, and SSDS have long had the ability to encrypt data. However, the key challenge in enabling hardware-level security features is educating users on how to implement them and ensuring that security does not affect the performance of the device and the overall system.

Carl Shaw, security and security architect at Codasip, a company focused on processor design automation and RISC-V processor IP, said that while hardware-backed security has been around for some time, protecting AI workloads is a relatively new concept.

Hardware-enabled security technologies for AI

Securing AI can be broken down into two stages:  security when training the network, which is more of an IT security issue, and security at the inference stage,  which occurs when executing the network,  according to Shaw. “This is the part that would most likely happen on a Codasip processor performing edge AI that we  need to consider.”

Shaw said that because AI algorithms are software, Codasip's secure boot and CPU-level security mechanisms protect any software running on the device from tampering and IP theft. "Our fail-safe technology will stop any corruption in the execution of the AI network."

He added that encryption, integrity protection, and authentication IP will provide protection for the output of AI models so that they can be securely stored and forwarded. "This is especially important where privacy is needed."

But with more and more microservices supporting containerized and virtualized applications all over the data center, cpus are already overwhelmed, and dealing with security issues will only add more stress. Nvidia's latest data processing unit (DPU), the BlueField-2, is used to offload, isolate, accelerate, and secure data center infrastructure services so that cpus and Gpus are free to focus on running and processing massive workloads, including artificial intelligence. The new DPU also reflects the trend of hardware playing a key role in enabling zero-trust security in the data center and at the edge.


Other hardware-enabled security technologies that are getting more attention as of late are physical unclonable function  (PUF) keys, due in part to increased need for encryption or a digital signature. A PUF is a physical object that,  for a given input and conditions (otherwise known as a “challenge”),  provides a physically defined “digital fingerprint” output that acts as a unique identifier,  most often for a semiconductor device,  such as a microprocessor. ReRAM manufacturer Crossbar recently announced it would apply its technology for use in  hardware security applications.

PUF keys aren’t new, either, but the growth of the internet-of-things market has created many opportunities,  and an increasing number of ASICs,  microcontrollers (MCUs) and systems-on-chip (SoCs) are embedding hardware cryptographic accelerators or software  cryptographic libraries. IoT devices at the edge are increasingly doing more AI workloads, too,  which means IoT device makers need a way to protect keys and other secret material by encrypting or wrapping them with  other keys — the root key must be kept secret and secret keys must be protected.

Intrinsic ID’s solution, for example, is an SRAM PUF-based key vault,  which ensures that no unencrypted secrets are stored on-chip,  while a root key is generated from an SRAM PUF when needed.


Equipment vendors need security support

According to Intrinsic CEO Pim Tuyls, around 2015, the Internet of Things really started to take off and there was a turning point in security at the hardware level. This has allowed the company to be more proactive in terms of security. "Once you start relying on all the devices around you and they get hacked, it's a big disaster."

Tuyls added that even small nodes need security, but you can't simply copy what's on a pc. "That's where we're seeing growth."

Tuyls said the company is working with a number of device vendors that focus on its core expertise and wants the company to help them build security features. For example, he noted that Intrinsic provides solutions to government, military and aerospace customers that put security at the top of their business needs.

For example, Gawan Semiconductor's SecureFPGA's Root of Trust provides a trust anchor for security use cases by using Intrinsic ID's BK(Secure Root Key Generation and Management software solution for iot Security). It allows device manufacturers to use internally generated unique identities to secure their products without adding expensive security-specific chips.

Likewise, Intrinsic's QuiddiKey hardware IP solution enables device manufacturers and designers to secure their products with internally generated, device-unique encryption keys without the need for additional silicon. Tuyls says digital IP can be applied to almost any chip, from tiny MCUS to high-performance SoCs.

Security has to be at the hardware level, he said, because so many devices rely on chips to run - even if the chip doesn't perform security-related tasks, it has to be protected because it's connected to something else. "It opens another door that shouldn't have been opened."

Complicating matters further is that if someone gains access to the chip, it's not always easy to see those connections and predict how things could go wrong. "It doesn't make sense to lock the front door firmly and leave the back door open," Tuyles said. By analogy, you don't want someone breaking into the back door without an alarm and easily finding valuables.

Smart home devices with basic artificial intelligence are one area that needs to be protected, given that many chips and MCUS are getting smaller every day, as are cars. "You don't want the software to be changed - strange things can happen while you're driving," Tuyls said. This includes attackers who may break into the vehicle, in which case data protection that supports the hardware is critical. "It needs to be strong enough; Otherwise, we'll all end up in big trouble."

Tuyls said the need for security is greater at the hardware level because if something goes wrong, the impact will be exponential. Hardware-level security is also easier to add, although integration with software can provide a robust, secure solution.

DRAM is the next security frontier

While corrupted AI can create havoc,  the need to protect it is also driven by the fact that AI workloads have become valuable intellectual property for many  companies. This is why Rambus has placed its focus on where AI data is crunched — DRAM. The company is an Intrinsic  partner and has a wide range of root-of-trust solutions that offer anti-tamper and security techniques for IoT devices  and data center applications.

Scott Best, director of anti-counterfeiting products and technologies in the security business unit at Rambus,  told EE Times that securing memory for any workload, such as AI, is expansive because memory means many things,  including low-density non-volatile types for scratch-pad applications or flash-based SSD in a server. “AI and machine  learning [ML] is really going to be impacting DRAM security in a pretty transformational way.”

He said a DRAM security solution is a really difficult problem to solve,  which is why it’s one of the last types of memory that people are willing to take on and apply security measures.

Security is critical, as DRAM is taking on some of the biggest and most intensive AI workloads,  which involve large datasets that require a system’s off-chip memory. “High-performance memory systems are not only  supporting very large datasets,  but the value of those datasets is also orders of magnitude more valuable than they used to be in previous generations,”  Best said. As an IP company, Rambus delivers circuits,  hardware and software that customers are going to compile into an SoC or FPGA to execute an algorithm. “But now the data  structure itself is the product,” he added.

Autonomous vehicles with training cameras that drive around neighborhoods are an excellent example,  he said. Applications capable of all the compute and physical work needed to gather training sets so they can be  distilled into a workload that an inference engine can execute on the edge are valued at tens of millions of dollars.  This change in what’s considered valuable is also challenging people’s notions of security perimeters. “It now includes  data that’s inside of off-chip DRAM memory.”

Best said this idea isn’t new for aerospace and defense industries, where there are some proprietary,  highly classified algorithms in extremely secure systems. “U.S. defense has had a long-storied interest in DRAM  security,  but it’s now transitioning over to much larger consumer-scale markets because of this AI/ML transformation that we’re  seeing now.”

He also said the risk to organizations is even higher given the value of this data. “It’s not just that adversaries are  trying to penetrate a system,  denial of service or learn the secrets they actually have — there’s actually strong value associated with that data.” If  it can be stolen and used in a competitive system, there’s revenue at stake in the commercial world.

DRAM security is in its first generation of solutions, according to Best,  while non-volatile memory is generally easier because the latency performance penalties are not there. SSDs have space  in reserve, but DRAM systems don’t have any extra memory. A 128-GB module, for example, is exactly 128 GB.

“There’s no extra memory swimming around on that module that is easy to use,”  Best said. The latency penalties are what make DRAM the most difficult type of memory to protect in a system, he added.

Memory provides a foundation of trust for the intelligent edge

Micron Technology clearly has skin in the game when it comes to making DRAM secure,  but it’s also looking at the larger picture when it comes to securing AI/ML data with the recent introduction of its  silicon root-of-trust solution,  Authenta. The cloud-based security offering is aimed at securing the IoT and intelligent edge,  and the company has enabled Authenta in a portfolio of industrial-grade Serial Peripheral Interface NOR (SPI-NOR)  devices with increased density and packaging. Collaborators on the Authenta Cloud Platform include Swissbit AG and  SanCloud.

Luis Ancajas, director of IoT security solutions and runner of the Authenta business unit at Micron,  said the expansion of the Authenta portfolio extends hardware security and services to a broader range of devices to  help bolster secure cloud services at the edge — with strong hardware security as a foundation.

Authenta uses strong cryptographic identity and secure element features directly embedded in the flash memory. “Trust is  not given;  it’s built,”  Ancajas said. “What we’re doing is we’re building a very foundational piece rooted to silicon because silicon is the  common denominator.”


Ancajas added that just as flash is common, SanCloud devices can use Authenta to provide customers with a wide range of security features, including secure boot, gold image locking, memory block allocation, secure over-the-air updates, and device integrity monitoring. At the same time, Swiss Bit started integrating Authenta into micro-sd cards, which is ideal for transforming iot systems.

For Authenta, the smart edge includes not only the Internet of Things, but also data centers, smart homes, and cars - the latter of which is becoming a personalized platform for different end customers, whether individual or fleet owners. This drives the need for security requirements that must be addressed at the hardware level and scaled across a broad ecosystem, including the cloud, Ancajas said. "It's not an easy thing for many people. It crosses the supplier divide."

Achieving security spans systems design, chip design, contract manufacturing, and more, he says, which is why Micron built the Authenta platform - by acting as a security architect, gluing together programming and security functions, including the necessary cloud apis, to streamline the process.

Ancajas said it was important to ensure that the architecture was simple and flexible while remaining aligned with the business model. Security is ultimately the driver of revenue, and linking it to memory is the key to flexibility.

He also drew a distinction between protecting data and protecting the cloud. Authenta isn't just about encrypting data from iot devices, it's also about authenticating them and being able to trust that no damage has been done to the system. "Security is the fundamental foundation. Trust is what really makes you deliver."

About US

Heisener Electronic is a famous international One Stop Purchasing Service Provider of Electronic Components. Based on  the concept of Customer-orientation and Innovation, a good process control system, professional management team,  advanced inventory management technology,  we can provide one-stop electronic component supporting services that Heisener is the preferred partner for all the  enterprises and research institutions.

Related Products