Purposeful security first turned a serious problem for the semiconductor business in 2011 with the introduction of the ISO 26262 normal for implementing practical security within the automotive business. Earlier than that, practical security had already been standardized in a normal method for all industries for the reason that finish of the 1990s in IEC 61508. Nevertheless, within the subject of commercial automation, the place the IEC 61508 is manly utilized, security programs have tended to be – and nonetheless are – constructed discretely.
It’s only lately that built-in circuits have began to emerge right here — one that’s clearly being pushed by expertise within the automotive sector. That is evidenced not least by what number of builders in different industries, together with these whose growth work is just not carried out in accordance with ISO 26262, reference Half 11 of the usual. Half 11 was printed in 2018 and explicitly addresses its software to semiconductors.
One other method during which the automotive business has had an outsize affect on developments within the subject of practical security is powerful value strain in addition to weight and dimension limitations, mixed with excessive unit volumes. These components are usually not current to the identical extent for different security programs, they usually push the normal method to system security, which makes use of redundancy, to its limits. That is significantly crucial for programs that can’t assume the switched-off mode as a protected state, comparable to a fast-moving automobile in heavy visitors.
To reconcile the competing components of security on the one hand, and dimension, weight and value necessities on the opposite, requires new approaches to the security mechanisms used. As issues stand, a security mechanism often works in such a method that it detects a fault in a component of the safety-critical system as quickly because it happens. That is generally comparatively easy, e.g., a voltage measurement for the fault “open connection.” Or it may contain a fault in a extra complicated aspect with redundant execution and comparability, comparable to two processor cores in lockstep, in order that when their outputs are in contrast and there’s a deviation, it exhibits a fault is current. Within the first instance, there is no such thing as a want to incorporate redundancy to function a fail-safe system that shuts down within the occasion of a fault. Within the second instance, the redundancy is inherent. In each instances, if the system is to proceed to operate within the occasion of a fault (fail-operational), additional redundancy should be supplied — within the first case, to modify to the redundant system, and within the second, to find out by majority vote which result’s inaccurate and to close down the corresponding core.
One choice for novel security mechanisms to keep away from this downside is to utilize predictive well being monitoring. That is the collective time period for varied strategies which have been established within the subject of reliability for a very long time. Two of those strategies will probably be thought-about beneath and evaluated for his or her suitability to be used as a security mechanism.
Within the first methodology, an digital part’s remaining lifetime is estimated from its load historical past. This includes recording varied stress variables comparable to temperature or present. These are both in contrast with accessible statistics on subject failures which have already occurred, or the masses are used to simulate failure mechanisms (physics of failure). This permits a prediction to be made a really very long time earlier than failure. Nevertheless, the prediction is comparatively imprecise, and its confidence can be comparatively low. In any case, it’s based mostly on fashions and statistical assumptions and doesn’t think about the part’s particular person properties. This makes it much less appropriate as a security mechanism. Nevertheless, it may nonetheless discover software within the subject of practical security – specifically for higher estimates of failure charges.
The second methodology is harm detection. This system examines elements to detect present harm that’s getting progressively worse earlier than it will probably result in a practical failure. There are numerous methods to implement such harm detection — mechanical harm in IC packaging will be recognized utilizing thermal impedance measurements; breaks in conductive paths will be discovered utilizing time area reflectometry; and rising harm in transistors can recognized through adjustments of their threshold voltage. This methodology is way more appropriate to be used as a security mechanism. Though it predicts failures solely within the comparatively brief time period, its confidence is certainly on a par with that of typical security mechanisms, relying on the precise implementation and use case. It might probably predict greater than 90% of failures – with a negligible false-positive price.
So from a technical perspective, there may be little standing in the way in which of implementing predictive well being monitoring as a security mechanism. As is common in practical security, nonetheless, requirements will should be set earlier than this method turns into accepted in business. Working teams at varied standardization organizations have already began work on this. Consequently, the subsequent variations of ISO 26262 or IEC 61508 are anticipated to comprise corresponding approaches.
Jens Michael Warmuth
Jens Michael Warmuth is group supervisor for practical security and system reliability verification at Fraunhofer Institute for Built-in Circuits’ Engineering of Adaptive Programs Division.