About Circuit Cellar Staff

Circuit Cellar's editorial team comprises professional engineers, technical editors, and digital media specialists. You can reach the Editorial Department at editorial@circuitcellar.com, @circuitcellar, and facebook.com/circuitcellar

Issue 318: EQ Answers

Here are the answers to the four EQ problems that appeared in Circuit Cellar 318.

Problem 1: Outside of simply moving data from one place to another, most of the work of a computer is performed by “dyadic” operators — operations that combine two values to form a third value. Examples include addition, subtraction and multiplication for arithmetic; AND, OR and XOR for logical operations. A dyadic operation requres three operands — two “source” values and a “destination” location. One way to classify a computer’s ISA (instruction set architecture) is by the number of operands that are explicitly specified in a dyadic instruction. The classifications are:

  • 0-address (stack machine)
  • 1-address (accumulator-based)
  • 2-address
  • 3-address

Can you describe some of the pros and cons of each of these choices?

Answer 1:

0-address

A 0-address machine is also known as a “stack” machine. All operators take their source operands from the stack and place their result on it. The only instructions that contain memory addresses are the “load” and “store” locations that transfer data between the stack and main memory.

Pros: Short instructions, no implicit limit on the size of the stack.

Cons: More instructions required to implement most computations. Parallel computations and common subexpressions require a lot of “stack shuffling” operations.

1-address

In this type of machine, the ALU output is always loaded into an “accumulator” register, which is also always one of the source operands.

Pros: Simple to construct. Eliminates many of the separate “load” operations.

Cons: Requires results to be explicitly stored before doing another calculation. Longer instructions, depending on the number of registers, etc.

2-address

This type of machine allows the two source operands to be specified independently, but requires that the destination be the same as one of the source operands.

Pros: Allows more than one destination, eliminating more “move” operations.

Cons: Even longer instructions.

3-address

This type of machine allows all three operands to be specified independently.

Pros: Most flexible, eliminates most data moves.

Cons: Longest instructions.

To summarize, the short instructions of the stack machine allow a given computation to be done in the smallest amount of program memory, but require more instruction cycles (time) to complete it. The flexibility of the 3-address architecture allow a computation to be done in the fewest instruction cycles (least time), but it consumes more program memory.


Problem 2: In order to be generally useful, a computer ISA must be “Turing complete”, which means that it can — at least theoretically, if not in practice — perform any computation that a Turing Machine can do. This includes things like reading and writing data from a memory, performing arithmetic and logical computations on the data, and altering its behavior based on the values in the data. Most practical computers have relatively rich instruction sets in oder to accomplish this with a reasonable level of efficiency. However, what is the minimum number of instructions required to achieve Turing-completeness?

Answer 2: Just one instruction, chosen carefully, is sufficient to achieve Turing-completeness. One example would be the instruction “subtract one from memory and branch if the result is not zero”. All of the operations of an ordinary computer can be synthesized as sequences of these “DJN” instructions. Note that since there is only one choice, there is no need to include an “opcode” field in the coding of each instruction. Instead, each instruction simply contains a pair of addresses: the data to be decremented, and the destination address of the jump.


Problem 3: Some processor ISAs are notorious for not being “friendly” to procedure-oriented languages such as C, requiring a lot of work on the part of the compiler in order produce reasonably efficient code, and even then, often introducing some restrictions for the programmer. What are some key features of an ISA that would make it “C-friendly”

Answer 3: The key concept in procedure-oriented languages like C is that of function composition. This means that it must be easy to produce new functions by combining calls to existing functions, and that functions can be called in the process of building argument lists for other functions. The C language takes this to the extreme, in the sense that every operator &mdash including the assignment operator — creates an expression that has a result value that can be used to build larger expressions. Therefore, one key architectural element is the ability to create function contexts — sets of parameters, local variables and return values — that can be “stacked” to arbitrary levels. In terms of an ISA, this means that it must support the direct implementation of at least one data stack that includes the ability to index locations within that stack relative to a stack pointer and/or a frame pointer. This concept is a direct abstraction from the hardware addressing modes of the PDP-11 minicomputer, the machine on which the first versions of C were developed. The PDP-11 ISA allows any of its 8 general-purpose registers to be used to address memory, with addressing modes that include “predecrement” and “postincrement” — implementing “push” and “pop” operations as single instructions — as well as “indexed indirect”, which allows local variables to be addressed as an offset from the stack pointer.


Problem 4: Sometimes a computer must work on data that is wider than its native word width. What is the key feature of its ISA that makes this easy to do?

Answer 4: The key feature in an ISA that allows arithmetic and shift operations to be extended to multiples of the processor’s native word width is that of a “carry” status bit. This bit allows one bit of information to be “carried” forward from one instruction to the next without requiring extra instructions to be executed.

For arithmetic operations, this bit remembers whether the instruction operating on the lower-order words of the operands resulted in a numerical “carry” or “borrow” that will affect the instruction operating on the next-higher-order words. Similarly, for shift and rotate instructions, this bit remembers the state of the bit shifted out of one word that needs to be shifted into the next word.

Contributor: David Tweed

Raspberry Pi Maker: An Interview with Eben Upton

About five years ago, a small group of enthusiast designers led by Eben Upton launched a small, inexpensive computer that looked nothing like a normal computer. The bare green PCB board appealed to makers and hackers and the option to connect a keyboard and screen appealed to traditional computer nerds. Today, the Raspberry Pi is the best-selling personal computer in the United Kingdom.

Circuit Cellar recently visited Cambridge, England, to interview Upton about his work at the Raspberry Pi Foundation and more. Check it out.

Arrow Electronics and Conexant Systems Collaborate on Development of Amazon Alexa-Enabled Smart Home Products

Arrow Electronics recently agreed to distribute and source components and provide technical design support for Conexant’s AudioSmart 2-Mic Development Kit for Amazon Alexa Voice Service (AVS). Conexant recently announced a collaboration with Amazon on an AVS-approved AudioSmart 2-Mic Development Kit. Featuring the Conexant AudioSmart CX20921 high-performance hands-free Voice Input Processor and “Alexa” wake word technology, the Conexant AudioSmart 2-Mic Development Kit will help developers and manufacturers quickly and easily build Alexa-enabled products that provide users with an ideal voice experience.Arrow Conexant - kit

The Conexant AVS-approved AudioSmart 2-Mic Development Kit is designed to be easily integrated into any third-party AVS system prototype based on the Raspberry Pi. Its dual-microphone voice processing capability recognizes the “Alexa” wake word and delivers speech requests from anywhere in a room—even in noisy, real-world conditions. It also enables voice barge-in capabilities, allowing users to interrupt their Alexa device when it is playing music or other types of sound.

Source: Conexant

New Scalable Biometric Sensor Platform for Wearables and the IoT

Valencell and STMicroelectronics recently launched a new development kit for biometric wearables. Featuring STMicro’s compact SensorTile turnkey multi-sensor module and Valencell’s Benchmark biometric sensor system, the platform offers designers a scalable solution for designers building biometric hearables and wearables.

The SensorTile IoT module’s specs and features:

  • 13.5 mm × 13.5 mm
  • STM32L4 microcontroller
  • Bluetooth Low Energy chipset
  • a wide spectrum of MEMS sensors (accelerometer, gyroscope, magnetometer, pressure, and temperature sensor)
  • Digital MEMS microphone

Valencell’s Benchmark sensor system’s specs and features:

  • PerformTek processor communicates with host processor using a simple UART or I2C interface protocol
  • Acquires heart rate, VO2, and calorie data
  • Standard flex connector interface

Source: Valencell

Tracealyzer 3.1 Offers Support for Trace Streaming Over USB

Percepio AB recently released Tracealyzer 3.1, which is a trace tool that supports RTOS trace using just a standard USB cable. You can increase your development speed by using Tracealyzer for debugging, validation, profiling, documentation, and training. Percepio-Tracealyzer

The trace recorder library is now easier to configure for streaming over custom interfaces, and includes support for USB streaming on STM32. (It can be adapted for other microcontrollers.) USB offers excellent performance for RTOS tracing and over 600 KB/s has been measured on an STM32 using USB 2, several times more than required. Other stream ports include TCP/IP and SEGGER J-Link debug probes. Tracealyzer 3.1 can also receive trace streams via Windows COM ports (e.g., from USB CDC connections), UART connections, or any virtual COM port provided by other target interfaces.

Tracealyzer 3.1 can identify memory leaks in systems that use dynamic memory allocation. It can record memory allocation events (e.g. malloc, free) from multiple operating systems, and it can display such allocations that have not been released. Since the memory allocation events are linked to the task trace, you quickly find the context of the allocation and investigate the problem. The recorder library simplifies integration and now provides a common API for both streaming and snapshot recording.

 

Source: Percepio AB

 

Mouser Shipping CC1350 SensorTag Development Kit and Antenna Kit

Mouser Electronics how has two new Texas Instruments development kits in stock: the CC1350 SensorTag development kit and the sub-1-GHz and 2.4-GHz antenna kit for LaunchPad and SensorTag. Designed for low-power wide area networks (LPWAN), the CC1350 features dual-band connectivity that expands the functionality of a sub-1 GHz network with Bluetooth low energy (BLE) implementations.The sub-1 GHz and 2.4 GHz antenna kit for LaunchPad and SensorTag enables you to perform tests to determine the optimal antenna for applications.Texas Instr Mouser CC1350

CC1350 SensorTag development kit:

  • Expands the SensorTag ecosystem with a single-chip Bluetooth Smart radio and a sub-1-GHz radio.
  • Offers easy mobile phone integration with long-range connectivity based on a 32-bit ARM Cortex-M3 processor
  • Runs for years on a single coin cell battery
  • Enables direct connection with Bluetooth to smartphones and tablets, combined with a 2-km range for the sub-1-GHz radio interface

The sub-1 GHz and 2.4 GHz antenna kit for LaunchPad and SensorTag includes:

  • 16 tested and characterized antennas for frequencies from 169 MHz to 2.4 GHz, including PCB antennas, Helical antenna, chip antennas, and dual-band antennas for 868 or 915 MHz combined with 2.4 GHz.
  • A µSMA (JSC) cable to connect to LaunchPad and SensorTag kits, including the CC1350 SensorTag development kit, as well as the CC2650 LaunchPad and CC1310 LaunchPad.
  • A µSMA (JSC)-to-SMA connector for connecting the kit or antennas to a standard SMA connector

Source: Mouser

Smart Home Reference Designs for IoT Device Development

Silicon Labs recently launched two new wireless occupancy sensor and smart outlet reference designs for the home automation. FCC and UL-precertified, the reference designs comprise hardware, firmware, and software tools that enable you to develop Internet of Things (IoT) systems based on Silicon Labs’s ZigBee “Golden Unit” Home Automation (HA 1.2) software stack and multiprotocol Wireless Gecko SoC portfolio. Both reference designs include Silicon Labs’s EFR32MG Mighty Gecko SoC.SiliconLabs Ref Design

 

The occupancy sensor reference design is a precertified ZigBee HA 1.2 solution featuring a wirelessly connected passive IR sensor along with ambient light and temperature/relative humidity sensors from Silicon Labs. The compact occupancy sensor’s battery-powered design provides up to five years of operation. The sensor’s detection range extends up to approximately 40′ with a 90° viewing window.

The smart outlet reference design is a precertified solution for a wirelessly controlled outlet plug. You can use it to power and control a wide variety of home and building automation products. Powered by an AC main-voltage line, the smart outlet communicates wirelessly to ZigBee mesh networks. It features the following: built-in diagnostics and metering with a user-friendly web interface; an AC voltage range of 110 to 240 V for global use along with a robust 15-A load current; and integrated high-accuracy sensors (ambient light and temperature/humidity).

 

Silicon Labs’s occupancy sensor and smart outlet reference designs are currently available. The RD-0078-0201 occupancy sensor reference design costs $49. The RD-0051-0201 smart outlet reference design costs $119. (All prices USD MSRP.)

Source: Silicon Labs

Scalable Wearable Development Kit

ON Semiconductor recently announced the availability of a new Wearable Development Kit (WDK1.0). The kit comprises the following: a touchscreen display; wired and AirFuel-compatible wireless charging capability; a six-axis motion sensor and temperature sensor; an alarm, timer, and stopwatch; schematics; firmware and sample code; a dock station for charging; and a downloadable SmartApp for evaluating and controlling the smartwatches multiple functions.OnSemi Wearable Dev Kit

The WDK1.0’s features, specs, and benefits:

  • NCP6915 power Management IC provides five LDOs and one DC-DC
  • NCP1855 battery charger IC, an LC709203F fuel gauge, and a 10-W rated SCY1751 wireless charging front-end controller
  • MEMS-based FIS1100 IMU, with three‐axis gyroscope and three‐axis accelerometer operation for multidimensional motion tracking
  • Embedded temperature sensor included and an LC898301 driver IC for initiating haptic feedback
  • nRF52832 multi-protocol system-on-chip (SoC)
  • Eclipse-based IDE
  • 1.44″ 128 × 128 pixel TFT display with a capacitive touch screen
  • 26‐pin expansion port

Source: ON Semiconductor

Mini Multi-Sensor Module for Wearables & IoT Designs

STMicroelectronics’s miniature SensorTile sensor board of its type comprises an MEMS accelerometer, gyroscope, magnetometer, pressure sensor, and a MEMS microphone. With the on-board low-power STM32L4 microcontroller, the SensorTile can be used as a sensing and connectivity hub for developing products ranging from wearables to Internet of Things (IoT) devices.

The 13.5 mm × 13.5 mm SensorTile features a Bluetooth Low-Energy (BLE) transceiver including an onboard miniature single-chip balun, as well as a broad set of system interfaces that support use as a sensor-fusion hub or as a platform for firmware development. You can plug it into a host board. At power-up, it immediately starts streaming inertial, audio, and environmental data to STMicro’s BlueMS free smartphone app.

Software development is simple with an API based on the STM32Cube Hardware Abstraction Layer and middleware components, including the STM32 Open Development Environment. It’s fully compatible with the Open Software eXpansion Libraries (Open.MEMS, Open.RF, and Open.AUDIO), as well as numerous third-party embedded sensing and voice-processing projects. Example programs are available (e.g., software for position sensing, activity recognition, and low-power voice communication).

The complete kit includes a cradle board, which carries the 13.5 mm × 13.5 mm SensorTile core system in standalone or hub mode and can be used as a reference design. This compact yet fully loaded board contains a humidity and temperature sensor, a micro-SD card socket, as well as a lithium-polymer battery (LiPo) charger. The pack also contains a LiPo rechargeable battery and a plastic case that provides a convenient housing for the cradle, SensorTile, and battery combination.

SensorTile kit’s main features, specs, and benefits:

  • Cradle/expansion board with an analog audio output, a micro-USB connector, and an Arduino-like interface that can be plugged into any STM32 Nucleo board to expand developers’ options for system and software development.
  • Programming cable
  • LSM6DSM 3-D accelerometer and 3-D gyroscope
  • LSM303AGR 3-D magnetometer and 3-D accelerometer
  • LPS22HB pressure sensor/barometer
  • MP34DT04 digital MEMS microphone
  • STM32L476 microcontroller
  • BlueNRG-MS network processor with integrated 2.4-GHz radio

Source: STMicroelectronics

New Bluetooth 5-Ready SoC Offers Increased Range, Bandwidth, & Security

Nordic Semiconductor’s new Bluetooth 5-ready nRF52840 SoC is well suited for smart home, advanced wearables, and industrial IoT applications. In addition to supporting 802.15.4, it’s capable of delivering Bluetooth low energy (BLE) wireless connectivity with up to 4× the range or 2× the raw data bandwidth (2 Mbps) compared with the BLE implementation of Bluetooth 4.2Nordic nRF52840

The nRF52840 SoC’s features, specs, and benefits:

  • Features a 64-MHz, 32-bit ARM Cortex M4F processor employed on Nordic’s nRF52832 SoC
  • A new radio architecture with on-chip PA boosting output power considerably, and extending the link budget for “whole house” applications, a doubling of flash memory to 1 MB, and a quadrupling of RAM memory to 256 KB
  • Support for Bluetooth 5, 802.15.4, ANT, and proprietary 2.4-GHz wireless technologies
  • A full-speed USB 2.0 controller
  • A host of new peripherals (many with EasyDMA) including a quad-SPI
  • Operates from power supplies above 5 V  (e.g., rechargeable battery power sources)
  • Incorporates the ARM CryptoCell-310 cryptographic accelerator offering best-in-class security for Cortex-M based SoCs. Extensive crypto ciphers and key generation and storage options are also available.

Nordic released the S140 SoftDevice and associated nRF5 SDK with support for Bluetooth 5 longer range and high throughput modes in December 2016. Engineering samples and development kits are now available. Production variants of the nRF52840 will be available in Q4 2017.

Source: Nordic Semiconductor 

Free “Internet of Things For Dummies” E-Book

Qorvo recently launched its latest e-book series, Internet of Things For Dummies, in partnership with John Wiley and Sons. The two-volume series—Internet of Things For Dummies and Internet of Things Applications For Dummies—is available as a free download.

Intended for both technical and nontechnical professionals, the e-books cover the basics of the IoT market, RF challenges, and how it’s being implemented.

Volume 1 — Internet of Things For Dummies:

  • IoT and smart home market opportunities
  • An overview of different IoT communications standards
  • Tips for leveraging small data and self-learning in the cloud

Volume 2 — Internet of Things Applications For Dummies:

  • Deliver IoT applications with a smart home butler
  • Create consumer lifestyle systems for the smart home
  • Develop IoT applications beyond the smart home

Source: Qorvo

Flowcode 7 (Part 3): Modbus and DMX512 (Sponsor: Matrix)

In the first article in this series, you were introduced to Flowcode 7, flowchart-driven electronic IDE that enables you to produce hex code for more than 1,300 different microcontrollers, including PIC8, PIC16, PIC32, AVR, Arduino, and ARM. The second article detailed how to get working with displays in Flowcode. This article will investigate some of the more complex communications components, Modbus and DMX. Both of these components basically let you do the same thing, which is to use one device (Master) to control one or more remote devices (Slaves). Access the third article.

Click to download the free article

Want a Free Trial and/or Buy Flowcode 7? Download Now

Flowcode is an IDE for electronic and electromechanical system development. Pro engineers, electronics enthusiasts, and academics can use Flowcode to develop systems for control and measurement based on microcontrollers or on rugged industrial interfaces using Windows-compatible personal computers. Visit www.flowcode.co.uk/circuitcellar to learn about Flowcode 7. You can access a free version, or you can purchase advanced features and professional Flowcode licenses through the modular licensing system. If you make a purchase through that page, Circuit Cellar will receive a commission.

Understanding Embedded Security

Protecting products and intellectual property (IP) from attackers is a fairly new concept that many engineers have not yet had to face. It is only a matter of time, though, until products—which are becoming more embedded and integrated with the real world—become targets for attacks leading to theft of service, loss of revenue, or a damaged corporate reputation. Consumer electronics, financial and medical technology, and network products are all at risk.

In this article, I’ll focus on the “why” and the “what” of embedded security, also known as secure hardware. Why does it matter? Why is it important to you, the designer? In what ways can someone attack your product? Because you can’t incorporate secure design methods without understanding what you are protecting and why, this article is a fitting introduction to the complexities of embedded security.

Reading this article won’t turn you into a security expert overnight. Nor will it provide all the answers to your secure hardware design needs. But, it will help you understand the major classes of attack and the mindsets of potential attackers. Actual secure hardware mechanisms come in all shapes and sizes, ranging from tamper-resistant enclosures to embedded IC dies in PCBs (to make them more difficult to probe). I’ll discuss these in a future Circuit Cellar article.

What embedded security typically comes down to is this: Is the cost of a successful attack greater than the value of what’s being protected? I’ll present some guidelines to help you make a determination.

UNDERSTAND YOUR RISK

As with everything in engineering, embedded security is all about trade-offs—risk management, as they say in the business world. Are there components or data in your system that need to be protected? If so, how much is it worth to protect them?

Forget what the glossy marketing material says about security products. There’s never a single answer and a single product to solve everybody’s product security needs. Every product has its own threat risks and is susceptible to certain types of attacks. Before being able to make an educated, informed decision, you need to understand the threat, the value of the contents being protected, and the reason for protecting such contents. Essentially, weaker, more vulnerable devices should contain less valuable secrets.

For example, a priceless family heirloom might be stored in a fireproof and tool-resistant safe. However, it wouldn’t make much financial sense to purchase such a safe to store an easily replaceable, inexpensive piece of jewelry. By the same token, it wouldn’t be feasible to implement an extremely secure, multilayered hardware solution just to protect a single password that is used to access undocumented features in a mobile phone; but, it would be in order to protect a financial institution’s cryptographic keys used for encrypted communications whose theft could result in the loss of millions of dollars.

When defining the security envelope of your product, there are three questions you should ask yourself (or your design team). First, what needs to be protected? Identify the critical components in your circuit that need to be protected before you start construction. It’s extremely difficult to implement proper security mechanisms after the fact. Such components to protect may include specific algorithms, device identifiers, digital media, biometrics, cryptographic keys, or product firmware. In addition to protecting discrete data contents, you may be interested in implementing a secure product boot sequence, secure field programmability, or a secure remote-management interface. Be aware that in some cases, even noncritical portions of your design can unknowingly compromise the security of the system, especially if they fail in an unanticipated way.

Second, why is it being protected? In most situations, critical data is being protected to prevent a specific attack threat. Ignoring or overlooking the possibility of attack can lead to a vulnerable product. In some countries, protecting certain content may be a legislative requirement. For example, a medical device containing confidential patient information must be secured in order to meet the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements.

Finally, whom are you protecting against? The types of attackers vary, ranging from a curious, harmless hardware hacker to an entire group of researchers backed by a competitor, organized crime, or government. As such, it’s important to attempt to properly identify the skill level and theoretical goals of the primary attackers against your product.

As a designer, you have the challenging task and responsibility of creating and ensuring your system’s security. You must understand every possible aspect of the design and are typically constrained by technical, financial, and political agendas. Attackers have an easier job, which is to exploit insecurities in the system. They need only to discover one vulnerable area of the design, and they typically have few constraints on their methods. They’ll likely choose the attack that yields the best results in the easiest and most repeatable fashion.

CLASSES OF ATTACK

No system will ever be 100% secure. “Secure” simply can be defined as when the time and money required to break the product is greater than the benefits to be derived from the effort. Given enough determination, time, and resources, an attacker can break any system.

At the highest level, four classes of security threat exist, as described by C.P. Pfleeger in Security in Computing. Through interception (or eavesdropping) an attacker can gain access to protected information without opening the product. With embedded systems, this can be achieved by monitoring the external interfaces of the device and by analyzing compromising signals within electromagnetic radiation or current fluctuations. On a computer network, this can be done by illicitly copying data or through promiscuous mode network monitoring. Although a loss may be discovered fairly quickly for certain attacks, like credit card theft or spoofed user authentication, a silent interceptor might not leave any traces.

Interruption (or fault generation) is a threat because an asset of a product becomes unavailable, unusable, or removed. An example is the malicious destruction of a hardware device, the intentional erasure of program or data contents, or a denial-of-service network attack. Fault generation consists of intentionally provoking malfunctions, such as operating the device under abnormal environmental conditions, which may lead to the bypassing of certain security measures.

The third type of threat is modification, which involves tampering with a product’s asset. Modification is typically an invasive technique for both hardware (e.g., circuit modifications or microprobing) and software/firmware (e.g., changing the values of data or altering a program so that it performs a different computation).

Lastly, fabrication creates counterfeit assets in a product or system. Fabrication can come in many forms, including adding data to a device, inserting spurious transactions into a bus or interface, and a man-in-the-middle attack on a network. Sometimes these additions can be detected as forgeries, but if skillfully done, they may be indistinguishable from the real thing.

TYPICAL ATTACK GOALS

When a product is targeted, the attacker usually has a goal in mind. This may be a simple goal, such as reverse engineering the circuitry in order to personalize or customize the device, or a more dedicated one, such as retrieving cryptographic keys or sensitive product trade secrets.

The specific goal of an attack tends to fit into one of four categories. The first is competition (or cloning), which is a scenario in which an attacker (usually a competitor) reverse engineers or copies specific IP in order to gain an advantage in the marketplace. The goal is to improve a product by using the stolen technology or to sell lower-priced knockoffs. Common target areas are circuit board features and product firmware.

Theft-of-service attacks aim to obtain a service for free that usually requires payment. Examples include mobile phone cloning, bypassing copy protection schemes on video game systems, and modifying cable boxes to receive extra channels.

User authentication (or spoofing) attacks are typically focused on products that are used to verify the owner’s identity, such as an authentication token, smartcard, biometric reader, or one-time-password generator. The attacker’s main goal is to gain access to personalized data and systems by spoofing the identity of the legitimate user.

Privilege escalation (or feature unlocking) attacks are aimed at accessing the hidden/undocumented features of a product and increasing the amount of control given to the user without having legitimate credentials. For example, using specialized circuitry to communicate with a mobile phone to gain access to phone diagnostics or acquiring administrator access on a network appliance.

Generally, an attack is achieved in one of three ways. In a focused attack, the adversary brings the target product into a private location to analyze and attack it on his or her own time with little risk of being discovered. A focused attack is probably the most familiar type of attack. Consider a curious student modifying a piece of hardware in his dorm room or a more determined criminal in a laboratory attempting to crack encryption routines.

Lunchtime attacks often take place during a small window of opportunity, such as a lunch or coffee break. Typically, the attack would need to be completed in a short period of time, ranging from a few minutes to a few hours. Lunchtime attacks are risky because they are easily detected if the target product is missing or has visibly been tampered with. For example, if you check your coat at a restaurant, an attacker could remove your PDA, retrieve the desired data, and return the PDA to your coat pocket within a matter of minutes and without being detected. Another example is an attacker copying data from a target’s authentication token or USB thumb drive that they left on their desk while attending a meeting.

Finally, there’s the insider attack, which may come in the form of run-on fraud by a manufacturer (producing additional identical units of a product to be sold on the gray market) or a disgruntled employee willing to sabotage the product or sell critical information such as system firmware or encryption keys. Many, but not all, insider threats can be thwarted with strict compartmentalization of critical data, access control, and chain-of-custody policies.

PRODUCT ACCESS

There are many ways an attacker can gain access to your product, but it often corresponds directly to the attack goal and usually involves one of four methods. In the first instance, the attacker purchases the product through a retail outlet, often with no means of detection (e.g., paying with cash). Multiple products could be purchased, with the first few serving as disposable units to aid in reverse engineering or to discover any existing tamper mechanisms. This scenario may be financially prohibitive for low-budget attackers but is typical for most focused attacks.

In the second instance, the attacker rents or leases the product from a vendor, distributor, or rental company, often on a monthly basis. Most attack types are possible in this instance, but because there is a high risk of detection when the product is returned, attackers will be cautious not to tamper with it.

In some cases, the attacker does not own the target product. The product is in active operation and may belong to a specific person (e.g., a mobile phone or smartcard), but the attacker may have physical access to the product. This is the most difficult type of attack because risk of detection is high.

In the final scenario, the attacker does not have access to the product, so all attacks are performed remotely (e.g., through a wired or wireless network). The attacker does not require special hardware tools and can easily mask his location. The risk of detection is low. Remote access attacks are common against computer networking equipment and appliances, such as routers, firewalls, access points, web servers, and storage area networks.

UNDERSTAND THE ATTACKER

“The only way to stop an attacker is to think like one.” That’s a favorite saying of mine. An FBI profiler tries to put himself in the mind of his subject. You must do the same when figuring out what, if any, security features you need to implement in our design. Today, because of advances in technology, the lower cost of products, and easy access to once-specialized tools, attacks against hardware are becoming more prevalent.

Attackers can be classified into three groups depending on their expected abilities and strengths: class I (clever outsiders), class II (knowledgeable insiders), and class III (funded organizations). This classification is essentially an industry standard for describing attackers in an academic fashion.[1]

Class I attackers are often extremely intelligent but might have insufficient knowledge of the system. They might have access to only moderately sophisticated equipment. They often try to take advantage of an existing weakness in the system rather than try to create one. Sometimes referred to as “script kiddies” in the computer security industry, these attackers run preprogrammed scripts to exploit known security vulnerabilities instead of finding their own.

Class II attackers have a substantial amount of specialized technical education and experience. They have a decent knowledge of the product or system, and often have highly sophisticated tools and instruments for analysis.

Class III attackers are teams of specialists with related and complementary skills backed by great funding. They are capable of performing in-depth system analysis, designing sophisticated attacks, and using the most advanced analysis tools. They may use Class II adversaries as part of the attack team.

Table 1 is comparison of each attacker class against available resources. The table may help to visualize the capabilities of the various attacker groups.

Table 1: Take a look at each attacker class compared to available resources. As you can see, each class has specific capabilities that will play a part in determining your product’s risk of attack.[2]

Table 1: Take a look at each attacker class compared to available resources. As you can see, each class has specific capabilities that will play a part in determining your product’s risk of attack.[2]

ADDING SECURITY

Security is a process, not a product. Security must be designed into your product during the conceptual design phase, and it should be considered for every portion of the design. It must be continually monitored and updated in order to have the maximum effect against attacks. Security can’t be added to a product and forgotten about. The product won’t remain secure forever.

Many times, an engineering change will be made to the product circuitry or firmware without a reevaluation of system security. Without a process in place to analyze changes throughout the design cycle, security that was properly implemented at the beginning of the design may become irrelevant by the time the product goes into production.

The primary concern is to incorporate risk analysis and security considerations into each step of your product’s development life cycle. Five principles, which are based on recommendations from the National Institute of Standards and Technology, serve as a good checklist. For more information, refer to “Engineering Principles for Information Technology Security (A Baseline for Achieving Security)” by G. Stoneburner et al. Let’s take a look at each one.

First, treat security as an integral part of your overall product design. It’s extremely difficult to implement security measures properly and successfully after a system has been developed.

Second, reduce risk to an acceptable level. Elimination of all risk is not cost-effective and likely impossible because nothing is 100% secure. A cost-benefit analysis should be conducted for each proposed secure hardware mechanism to ensure that it is performing its intended task at a desired cost.

Next, implement layered security. (Ensure no single point of failure.) Consider a layered approach of multiple security mechanisms to protect against a specific threat or to reduce overall vulnerability.

Fourth, minimize the system elements you’re relying on. Security measures include people, operations, and technology. The system should be designed so that a minimum number of elements need to be trusted in order to maintain protection. Put all your eggs in one basket by isolating all critical content in one secure area (physical or virtual) instead of having multiple secure areas throughout the design. This way, you can focus on properly securing and testing a single critical area of the product instead of numerous disparate areas.

Finally, don’t implement unnecessary security mechanisms. Every security mechanism should support one or more defined goals. Extra measures should not be implemented if they do not support a goal because they could add unneeded complexity to the system and are potential sources of additional vulnerabilities.

KEYS TO THE KINGDOM

Understanding and evaluating the risks and threats against your product is the first step toward a successful secure hardware design. There are many combinations of potential vulnerabilities, and it’s impossible to prevent against all of them. The good news is that vendors have recognized the need for embedded security, and we’re starting to see ICs and modules that reflect that. The more you can spread the word to your colleagues about making secure products, the safer all of us will be.

I’ve just started to scratch the surface of the embedded security topic. In a future article, I’ll take a no-nonsense look at a wide variety of practical secure hardware design solutions that you can implement in your product.


REFERENCES

[1] D.G. Abraham et al, “Transaction Security System,” IBM Systems Journal, vol. 30, no. 2, 1991, www.research.ibm.com/journal/sj/302/ibmsj3002G.pdf.

[2] P. Kocher, “Crypto Due Diligence,” RSA Conference 2000.

RESOURCES

C.P. Pfleeger, Security in Computing, 2nd ed., Prentice Hall, 2000.

G. Stoneburner et al., “Engineering Principles for Information Technology Security (A Baseline for Achieving Security),” NIST Special Publication 800-27, June 2001, csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf.


AUTHOR

Joe Grand specializes in embedded system design, computer security research, and inventing new concepts and technologies. Joe holds a B.S.C.E. from Boston University. This article first appeared in Circuit Cellar 169, 2004.

Next-Generation 8-bit tinyAVR Microcontrollers

Microchip Technology recently launched a new generation of 8-bit tinyAVR microcontrollers. The four new devices range from 14 to 24 pins and 4 KB to 8 KB of flash memory. Furthermore, they are the first tinyAVR microcontrollers to feature Core Independent Peripherals (CIPs). The new devices will be supported by Atmel START, an innovative online tool for intuitive, graphical configuration of embedded software projects.Microchip 8bittinyAVR

The new ATtiny817/816/814/417 devices provide features to help drive product innovation including small, low pin count and feature-rich packaging in 4 or 8 KB of flash memory. Other integrated features include:

  • A CIP called Peripheral Touch Controller (PTC)
  • Event System for peripheral co-operation
  • Custom programmable logic blocks
  • Self-programming for firmware upgrades
  • Nonvolatile data storage
  • 20-MHz internal oscillator
  • High-speed serial communication with USART
  • Operating voltages ranging from 1.8 to 5.5 V
  • 10-bit ADC with internal voltage references
  • Sleep currents at less than 100 nA in power down mode with SRAM retention

CIPs allow the peripherals to operate independently of the core, including serial communication and analog peripherals. Together with the Event System, that allows peripherals to communicate without using the CPU and applications can be optimized at a system level. This lowers power consumption and increases throughput and system reliability.

Accompanying the release of the four new devices, Microchip is adding support for the new AVR family in Atmel START, the online tool to configure software components and tailor embedded applications. This tool is free of charge and offers an optimized framework that allows the user to focus on adding differentiating features to their application.

To help accelerate evaluation and development, a new Xplained Mini Kit is now available for $8.88 USD. The Xplained Mini Kit is also compatible with the Arduino kit ecosystem. The kit can be used for standalone development and is fully supported by the Atmel START and Atmel Studio 7 software development tools.

The new generation of 8-bit tinyAVR MCUs is now available in QFN and SOIC packaging. Devices are available in 4 KB and 8 KB Flash variants, with volume pricing starting at $0.43 for 10,000-unit quantities.

Source: Microchip Technology

Simplified Smart Home Device Creation with New Apple HomeKit Bluetooth Dev Kit

Dialog Semicondcutor’s new offering is the first SoC on the market with dedicated hardware acceleration for HomeKit security operations which ensures end-to-end application encryption, safeguarding personal information in transit. With the recent introduction of iOS 10, Apple HomeKit is now an integral part of iOS, including its dedicated app that creates an enhanced user experience. The Apple Home app is compatible not just with iPhone, but is also optimized for iPad and the Apple Watch running watchOS 3. With the app, an Apple TV or iPad can easily act as a smart home hub, enabling home control from anywhere.DialogSemi HomeKit521211

The SmartBond DA14681 supports Bluetooth 4.2 to provide seamless connectivity, and smartly balances power efficiency and performance, with an integrated ARM Cortex M0 processor and expandable flash memory. A Power Management Unit (PMU) provides three independent power rails, in addition to an on-chip charger and fuel gauge, allowing DA14681 to recharge batteries over a USB interface.

Its integrated topology streamlines development, minimizes BOM cost and enables the kit to consume less than five µA on standby. The development kit maximizes application space and flexibility, using a mere 170 KB of flash memory and provides 64 KB of RAM for apps to utilize, even allowing user defined profiles to further customize applications on top of pre-configured HomeKit profiles.

To give developers all of the tools they need to create next-generation IoT applications, the DA14681 development kit consists of the HomeKit SDK, Basic and Pro versions of the kit, and a flexible add-on board to interface with the separately available MFi chip. The new HomeKit development kit and add-on board are now available from Avnet, Digi-Key and Mouser.

Source: Dialog Semiconductor