Secure development processes for software have formed, developed, and matured in the past decade to the point where there are well defined categories of security bugs and proven methods to find them. Secure hardware development, on the other hand, is essentially undefined at this point. Most developers of integrated circuits do no hardware security validation, or are secretive about their methods and findings.
This talk will document some pre- and post- silicon validation techniques by applying them to various open-source core designs. It will present a number of examples of actual Verilog security vulnerabilities along with the vulnerable code, and present methods of resolving them. It will conclude by generalizing several hardware security bug categories.
Joe (@securelyfitz) is an Instructor, Consultant, and Researcher at SecuringHardware.com. Joe specializes in low-cost attacks, hardware tools, and hardware design for security. He has a special knack for expressing hardware security concepts to both software security experts with no hardware background, as well as to hardware experts with no security background. Joe holds a master's degree in Electrical Engineering and was previously a Security Researcher with Intel's Security Center of Excellence where he conducted hardware penetration testing of desktop and server microprocessors and security validation training for functional validators worldwide.