The difference between hardware security and software security

Hardware security and software security have different approaches and roles. In software security, regular software updates and patching play a key role in maintaining the overall safety of the system, preventing attacks and malware from entering through the network.

On the other hand, hardware security utilizes security chips that store encrypted data to prevent unauthorized access and physical tampering, as well as secure boot functions that guarantee security at startup, making it possible for the device itself to build a strong defensive wall against attacks.

By combining hardware and software security, companies can build a "multi-layered defense" against cyber attacks and unauthorized access. To ensure that products operate normally no matter what happens, companies need to implement a balanced approach to both hardware and software security measures.

[Online seminar held on Friday, November 14th]
Secure development of embedded systems: The latest key management techniques that should be reviewed now.
IAR × Silicon Labs talks about regulatory-friendly design platforms​
👉Free participation. Click here for details.

It's Really Happening! What are the Security Breaches that Software Can't Prevent?

Hardware-level security breaches in companies have emerged as one of the major issues in modern information security. When the hardware itself becomes the target of attacks, breaches that cannot be prevented by software security can occur, resulting in serious consequences such as major information leaks and business interruptions.

As specific examples, there have been reported cases where hard disks have been physically stolen or confidential data has been extracted by connecting unauthorized devices. Furthermore, there have been cases where products have been accessed physically and data has been destroyed or tampered with. These situations often occur due to insufficient security measures at the hardware level against physical access, which shows the seriousness of targeting hardware vulnerabilities.

EU Cyber Resilience Law and its Impact

The EU Cyber Resilience Act is having a major impact on corporate security measures. The bill aims to impose strict security standards on companies to improve their defenses against cyber attacks.

The EU Cyber Resilience Act is characterized by its broad scope compared to past security laws. It covers "any digital product that has a direct or indirect connection to other products or networks." Even if a module is used at the end of a product system, if its security is vulnerable, it can become the base of an attack on the entire system. For this reason, it is important to implement security measures not only for products that connect to networks, but also for products that do not directly connect to networks.

What does "resilience" mean in EU Cyber Resilience Law?

By the way, what does the "resilience" in the name of this bill mean? We will explain using a diagram, based on how it differs from previous security measures.

The diagram below illustrates the traditional approach to security law. Traditionally, it was important to have a mechanism to prevent external attacks by installing a firewall around products connected to a network. This approach is based on the idea that a product is safe if software security measures are implemented. This can be called a security measure based on the so-called "perimeter defense."

Meanwhile, the concept of the future"resilience"method is shown in the diagram below. It is premised on the fact that products will be compromised in some way due to firewalls being breached by malware infections, which have become commonplace in recent years, or due to products being directly attacked by malicious third parties.

The idea behind the future"resilience"law is that even if a breach occurs, the ability to recover from it, that is,"resilience," is required. In the United States, this is called zero trust. It is important to consider mechanisms that allow products to operate normally even in "environments where nothing can be trusted," such as when the product is directly attacked, as shown in the above diagram.

Based on this thinking, security measures at the software level are insufficient, and security measures at the hardware level are required. What is needed is a"resilience"function that allows a product to recover to normal operation on its own.

In other words, a paradigm shift in security concepts is occurring toward "multi-layered defense," which takes into account cases that cannot be handled by traditional "perimeter defense" and implements security measures at the hardware level in addition to software level security.

Lattice FPGA Hardware Security

Lattice FPGAs are advanced devices designed to provide advanced hardware security features. Lattice FPGAs have multiple security features that provide advanced protection against malicious tampering and other attacks. Key technologies include secure boot, boot data authentication and recovery, and unauthorized access monitoring and protection. These technologies are essential elements to ensure the reliability of main processing devices such as FPGAs, CPUs, SoCs, and ASICs that are booted on the board.

secure boot

Lattice FPGAs are devices that can become the root of trust on their own by implementing secure boot for their own configuration. In particular, FPGAs with built-in configuration ROM have a mechanism that first boots securely on the board and then ensures the secure boot of other devices on the board. General security chips that call themselves root of trust are often unable to become the root of trust on their own. Therefore, Lattice FPGAs can be said to be the only device that functions as a hardware root of trust in the truest sense.

Boot data authentication and recovery function

Boot data authentication and recovery functions are essential to ensure security when each device on the board boots. Lattice FPGAs can authenticate whether the boot data of another device that is about to boot on the board is genuine or not by running numerical calculations using a security algorithm (NIST-CAVP certified algorithm) on the boot data of the device before booting the device. If authentication fails, the recovery function automatically works and copies the genuine boot data (Golden Image). The authentication process is then performed again and the device is booted.

One method of boot data authentication used by general security chips is to compare the boot data with a genuine whitelist stored in the Trust Zone without using an algorithm. However, when comparing security "robustness," it can be said that a method that uses a genuine algorithm recognized by a third party (NIST) to perform numerical calculations to authenticate the validity of the boot data provides more secure authentication than a process that simply verifies data comparison with a whitelist.

Unauthorized access monitoring and protection

Monitoring and protection against unauthorized access are important elements of hardware security. Unauthorized access here refers to unintended access by devices on the board, such as FPGA/CPU/SoC/ASIC, to the area where boot data is stored. Areas that can be rewritten and areas where read/write is blocked are designated in advance, and access to these areas is constantly monitored. This function protects the boot data by sending an interrupt signal if unauthorized access is detected.

Lattice Security FPGA usage example

Lattice offers evaluation boards that allow easy verification of boot data authentication and recovery, and unauthorized access monitoring and protection functions.

This evaluation board, called the Sentry Demo Board, allows you to perform authentication and other access to devices from Lattice 's development tools. The results of the access you perform can be easily viewed on the tool.

When it comes to security features, seeing is believing. By checking out the actual demo, you will be able to get an immediate idea of what kind of security features can be implemented on the boards that are installed in your products.

If you would like to see the security features of the Sentry Demo Board, please fill out the necessary information in the inquiry form below and select "Demo video request." If you have any other questions about this article, please contact us using the button below.