Hardware Trust Implications of 3-D Integration Ted Huffmire (NPS), Timothy Levin (NPS), Michael Bilzor (NPS), Cynthia E. Irvine (NPS), Jonathan Valamehr (UCSB), Mohit Tiwari (UCSB), Timothy Sherwood (UCSB), and Ryan Kastner (UCSD) 26 October 2010 Workshop on Embedded Systems Security (WESS)

Nile River Mystery on the Nile: Just Whose River Is It? Ethiopia Claims High Gound in Right-to-Nile Debate Thirsty Egypt Clings Tight to the Nile Weekend Edition Sunday (npr.org)

[Koyanagi05]

[Koyanagi05] Timeline

Alternative 3-D Approaches PoP [Lim10] Wire Bonding (SiP) [Amkor09]

Alternative 3-D Approaches PoP [Lim10]

Alternative 3-D Approaches [Amkor10]

Alternative 3-D Approaches Face-to-Face [Loh07]

Alternative 3-D Approaches Face-to-Back [Loh07]

What is 3Dsec? Economics of High Assurance –High NRE Cost, Low Volume –Gap between DoD and Commercial Disentangle security from the COTS –Use a separate chip for security –Use 3-D Integration to combine: 3-D Control Plane Computation Plane –Need to add posts to the COTS chip design Dual use of computation plane

Pro’s and Con’s Why not use a co-processor? On-chip? Pro’s –High bandwidth and low latency –Controlled lineage –Direct access to internal structures Con’s –Thermal and cooling –Design and testing –Manufacturing yield

Thermal Challenges Thermal Simulation [Loh06, Melamed09]

Yield Challenges Wafer-to-Wafer Bonding [Euronymous07]

Testing Challenges [Thärigen10]

Cost Cost of fabricating systems with 3-D –Fabricating and testing the security layer –Bonding it to the host layer –Fabricating the vias –Testing the joined unit

This Paper Can a 3-D control plane provide useful secure services when it is conjoined with an untrustworthy computation plane? Yes, provided: –Self-protection –Dependency Layering

Face-to-Back Bonding [Valamehr10]

Primitives [Valamehr10]

Threat Model Computation plane –Unintentional hardware flaws –Malicious software Not in scope –Malicious inclusions Nullify self-protection –Probing of the control plane –Compromising RF emissions

Security Model Self-protection –Do not place a post that allows the control plane to accept extraneous power, requests, or modifications. Layered dependencies –Control plane should not depend on the computation plane

Layered Dependencies Never depend on a layer of lesser trustworthiness

Dependency Properties Service –Communication (e.g., I/O) –Synchronization Call Resource Creation and Provision –Storage Contention

3-D Application Classes Enhancement of native functions Secure alternate service Isolation and protection Passive monitoring –Information flow tracking –Runtime correctness checks –Runtime security auditing

Design Example Secure Alternate Service

Examples of 3-D Systems Network-on-Chip [Kim07]

Examples of 3-D Systems Network-on-Chip [Kim07]

Examples of 3-D Systems Particle Physics [Demarteau09]

Examples of 3-D Systems Chip Scale Camera Module [Yoshikawa09]

Examples of 3-D Systems 3D-PIC 3-D CMOS Imager [Chang10]

Examples of 3-D Systems 3-D Stacked Retinal Chip [Kaiho09]

Examples of 3-D Systems 3-D Stacked Retinal Chip [Koyanagi05]

Examples of 3-D Systems 3-D FPGAs [Razavi09]

Examples of 3-D Systems 3D-MAPS: Many-core 3-D Processor with Stacked Memory [Lim10] –Solid work!

Examples of 3-D Systems [Eloy10]

Future Work Malicious Inclusions Off-Chip I/O –Wireless –Wired Power Fault-Tolerant Chips for Critical Systems

Wireless: Capacitive Coupling [Kim09]

Wireless: Optical Bidirectional Communication [Dietz03]

Questions? faculty.nps.edu/tdhuffmi