Security is becoming increasingly important in a variety of applications including smartphone accessories, smart meters, personal health monitoring, remote control, and access systems. To protect revenue and customer privacy, OEMs must use security technology to strengthen the system against hacking. For a large number of these applications, millions of devices will be deployed, and the challenge for engineers is to ensure the best balance of safety without severely impacting system cost or reliability. Key considerations include protecting the transmission of sensitive data, preventing the MCU application code and secure data from being read, preventing the MCU from being physically attacked, maximizing power efficiency, and supporting security upgrades to ensure the device is resilient to future security threats.
Security devices must be able to safely store sensitive information as effectively as a bank vault. This information includes the actual data exchanged (such as a customer’s credit card number or a record of when and how much electricity was used) as well as any encrypted data (such as security keys and passwords) that secures the communication channel.
The latest low-power microprocessors (MCUs) integrate the high performance and features needed to reduce cost and power consumption in security applications, helping developers improve security for low-power applications. In addition, they use non-volatile FRAM instead of EEPROM or Flash to provide a robust and unified memory architecture that simplifies secure system design.
FRAM The advantages
FRAM offers superior retention and endurance compared to traditional flash-based systems. With flash memory, data is stored according to the Transistor charge state (eg on or off). When writing to flash, the corresponding block must be erased and then written. This process can physically damage the flash memory, eventually causing the transistors to fail to hold charge reliably.
To ensure the longest lifespan of flash memory, techniques such as wear leveling are often deployed to spread usage across blocks to avoid premature corruption of some commonly used blocks. In turn, flash system reliability needs to be evaluated because the flash endurance specification reflects the average failure rate, and the endurance of each specific block can be high or low. In addition, the reliability of retention decreases as the endurance limit is approached, because retention is counted against the wear of each memory element.
Figure 1: Model of the FRAM PZT molecule
In contrast, FRAM stores data in molecular polarization states. Because the process is non-destructive, FRAM has near-indefinite retention and durability. For applications such as mobile payment systems that must perform 20,000 to 40,000 transactions over the life of the device, FRAM is not a concern for durability and reliability.
In addition, the high endurance of FRAM is also related to the security of some applications. For example, to improve communication security, a new key needs to be generated for each new transmission. This approach must take into account the endurance issues of flash and EEPROM. Using FRAM eliminates the need to consider the impact of key change frequency on memory durability.
In addition to preventing unauthorized reading and writing of application data and encryption keys, the system must also prevent malicious tampering of parameters, leading to sensitive information being accessed, and even the physical MCU itself being attacked. MCUs are vulnerable to various attacks that result in the extraction of data, application code or security keys stored in memory.
In many cases, the purpose of an MCU attack is to alter the data stored on the device. For example, usage data on an automatic meter may be modified to show that actual usage is low, resulting in lower monthly bills. Generally speaking, hackers do not modify the collected data, but modify the application code itself. To achieve this, they must first obtain a picture of the application code, reverse engineer it, and then successfully overwrite it with the modified version in the system.
Figure 2: TI’s MSP430FR59xx MCUs are built on an ultra-low-power “Wolverine” technology platform that uses non-volatile FRAM instead of EEPROM or flash to provide a highly robust unified memory architecture that simplifies secure system design
Numerous methods have emerged to force systems to reveal confidential information and even their application code. For example, a glitch attack can cause a faulty operation that puts the system into an unpredictable state that allows it to output a security key or block of application code. In addition, hackers can physically attack the system, detach the MCU or use optical means to cause a malfunction. It should be noted that not all of the following attack scenarios are applicable to all applications, and which attack may occur depends on the application and value of the risk data.
- Mechanical probing: Although mechanical probing of EEPROMs is difficult, it can be done through the back end of the IC in a way that does not destroy the floating gate nor the bit cell data. In contrast, the polarization state of FRAM can only be detected when the circuit is complete.
- Power Analysis: Spectral Power Analysis (SPA) and Dynamic Power Analysis (DPA) are specialized techniques for measuring MCU electromagnetic emissions or power usage, creating profiles that determine what’s going on inside the MCU. EEPROM and Flash require charge pumps that operate at 10 to 14V, making them relatively easy to detect. FRAM’s extremely fast read and write speeds (under 50 ns and 200 ns, respectively) and low operating voltage (1.5 V) make it extremely difficult to successfully mount a SPA or DPA-based attack.
- Microscopy: Using Atomic Force Microscopy (AFM) or Scanning Kelvin Probe Microscopy (SKPM) has proven to detect floating gate charge levels in EEPROMs after back-end stripping, thus recording storage on memory locations or on data lines data transmitted.
- Voltage tampering: This type of attack has been targeting EEPROM and flash memory devices for many years, especially for phone card cheating. In fact, it is to force the programming of the bit cells by letting the input voltage of the device exceed the standard range. Note that it is very difficult to provide undervoltage and overvoltage protection circuitry that operates much longer than the time required for an EEPROM bit cell to complete programming. However, FRAM’s read and write times are fast and thus provide protection against voltage tampering attacks.
- Optical tampering: There is evidence that EEPROM bit cells can have their data values modified as a result of an Optical Fault Induction attack. Neither laser nor UV radiation affects FRAM bit cells (ignoring strong photothermal effects), so FRAM-based devices are safe from this type of attack.
- Radiation: Alpha particles can cause bit replacement in EEPROM. The FRAM architecture has been proven to be immune to alpha particles and other sources of radiation. Furthermore, due to the ferroelectric properties of FRAM, it is also not affected by magnetic fields.
Figure 3: List of FRAM and EEPROM Affected Situations
The response to many of these attacks is to secure the flash memory and EEPROM ICs. However, these countermeasures are often too costly to implement compared to the value of an attack instance and compromised data on a single device. In addition, these countermeasures can increase power requirements and increase application design complexity, which can reduce overall system reliability. However, because FRAM provides all the inherent resilience against different types of attacks, it can have a more positive impact on security applications than flash and EEPROM, reducing design complexity and eliminating the overhead of implementing countermeasures.
Using FRAM, which supports fast signals and polarization states, provides stronger protection for sensitive code and data than flash and EEPROM. FRAM memory blocks can be configured with different types of access rights to further protect the system. Read-only is for constants such as the font used by the LCD, read-write only supports variables, and read and execute is only for application code. The use of access rights not only improves application stability and prevents unintentional misuse of memory, but also provides protection against deliberate attacks on the system.
In addition, FRAM memory management provides another layer of memory security through the IP envelope, allowing developers to not only define protected memory segments, but also split functionality for the application. Direct read and write access to protected segments is only possible through code execution within the same envelope segment. In this way, the only way for code from an unprotected segment to access the envelope segment is to call a function within the protected segment. Specifically, code that handles security keys and data can be isolated from other applications through packaging. This way, even if the application code is somehow corrupted, the secure parts of the system are not exposed. Also, external JTAG access is not allowed into the protected segment. It is important to note, however, that any design must incorporate software settings such as secure gated entry and multiple checks in order to deliver this safety standard. This practical hardware feature can have far-reaching implications, but it’s not a foolproof solution.
Portable applications with wireless connectivity need to be designed with power efficiency in mind. For example, encrypted channels can significantly increase transaction overhead due to the handshake and authentication processes used. For example, this process can extend not only the working time of the radio, but also the working time of the CPU. When using slow memory technologies such as flash or EEPROM, over-the-air updates can run in seconds at constant currents in excess of 10 mA, which can have a very negative impact on the battery.
The high efficiency of the integrated AES 256 encryption engine enables engineers to deliver encryption functions that consume one-tenth the energy previously required. In addition, FRAM’s faster access speed and lower power requirements consume approximately 250 times less power per unit of data recorded in encrypted format before transfer.
To better understand these numbers, consider low-power devices that perform over-the-air updates. Because these devices require so little power, an update can consume up to a month of battery life using EEPROM or flash memory. An equivalent system with FRAM will use less than a quarter of a day of battery life.
Figure 4: TI MSP430FR59xx MCUs provide memory protection and IP envelope with FRAM memory management
In addition, the high efficiency of FRAM can also affect the efficiency of power and memory usage during standard operation. Flash and EEPROM must at some point erase and program a block of memory for memory. Therefore, to change the single-bit system identification, the entire block of 256 bytes must be read from flash, erased, and written back to it. With FRAM, developers have bit-level access to the entire memory.
Finally, due to the read, erase, and write sequence of EEPROM and flash, developers must mirror data with redundant memory blocks to ensure data integrity during potential power loss. FRAM can be used to guarantee write operations by using on-chip capacitors to ensure that there is sufficient power to complete the current write job. Due to the extremely fast writing speed and lower current of FRAM, capacitors can be so small that they can be integrated on the MCU without mirroring.
picture5:TI MSP430FR59xx MCUs middleFRAM Provides power management benefits for over-the-air firmware upgrades
The higher power efficiency of FRAM can be used to support longer battery life. Or these devices can store more data with lower power consumption than the use of EEPROM or flash memory, so developers can choose to use larger data buffers or event logs. This helps equipment check at lower frequencies, reducing the frequency that radios or other power-hungry communication channels must use.
Given the growing trend towards connected devices, integrating security into MCUs is becoming a common requirement. OEMs can protect customer information by preventing, inspecting, and taking appropriate action against malicious behavior outside the device’s intended operating range, preventing data exposure, preventing application code from being overwritten, providing secure communication channels for the exchange of sensitive data, and more. its own intellectual property rights.
The high-efficiency architecture of FRAM MCUs integrates hardware that reduces software complexity and simplifies safety system design without compromising data integrity or reliability while reducing power consumption. In this way, we can bring the security of low-power applications to a whole new level at low cost.
About the Author
Jacob Borgeson Current Texas InstrumentsMSP430™ MCUs Product DepartmentFRAM Product Marketing Manager with5 Years of microcontroller and power optimization experience. He has previously written and published articles on energy harvesting, low-power trends, and wireless sensing and personal medical monitoring applications.Borgeson Graduated from Texas Tech University(Texas Tech University)has obtained a bachelor’s degree in electrical engineering and a master’s degree in business administration.