阅读说明：本技术 可配置模拟信号链中的动态安全保护 (Dynamic security protection in configurable analog signal chains ) 是由 维拉马尼坎达恩·拉朱 阿南德·库马尔·G 克里丝蒂·莉·佘 于 2020-04-06 设计创作，主要内容包括：本发明涉及一种用于动态防御可重新配置信号链中的安全漏洞的系统及方法。所述系统包含由与第二组件(202)连接的至少一第一组件(201)形成的信号链。所述第一组件(201)具有一组源输出及第一认证块(221),且所述第二信号链组件(202)具有一组目的地输入及第二认证块(222)。所述系统还包含信号链配置器,其用来自所述组目的地输入的至少一个经验证端点填充所述第一认证块(221)。与所述第一认证块(221)及所述第二认证块(222)通信耦合的信号链完整性块(210)识别来自由所述至少一个经验证端点及所述组源输出形成的一或多个端点对的源-目的地对。所述信号链完整性块(210)将所述源-目的地对传播到所述第一认证块(221)及所述第二认证块(222)。所述第二认证块使用所述源-目的地对认证任何接收到的输入。(The present invention relates to a system and method for dynamic defense against security breaches in reconfigurable signal chains. The system comprises a signal chain formed by at least one first component (201) connected to a second component (202). The first component (201) has a set of source outputs and a first authentication block (221), and the second signal chain component (202) has a set of destination inputs and a second authentication block (222). The system also includes a signal chain configurator that populates the first authentication block (221) with at least one verified endpoint from the set of destination inputs. A signal chain integrity block (210) communicatively coupled with the first authentication block (221) and the second authentication block (222) identifies a source-destination pair from one or more endpoint pairs formed by the at least one verified endpoint and the set of source outputs. The signal chain integrity block (210) propagates the source-destination pair to the first authentication block (221) and the second authentication block (222). The second authentication block authenticates any received input using the source-destination pair.)

1. A method, comprising:

receiving one or more verified endpoints into a first component in a signal chain formed by at least the first component connected to the second component, wherein the first component includes a set of source outputs and a first authentication block, wherein the second component includes a set of destination inputs and a second authentication block, and wherein the one or more verified endpoints are selected from the set of destination inputs;

associating each of the one or more authenticated endpoints with a source output from the set of source outputs to form a set of endpoint pairs;

identifying source-destination pairs from the set of endpoint pairs;

propagating the source-destination pair to the first authentication block and the second authentication block;

authenticating at least a portion of the signal chain based on the source-destination pair; and

authenticating the received input based on the source-destination pair.

2. The method of claim 1, further comprising:

generating an interrupt in response to determining that the received input is not authenticated.

3. The method of claim 1, further comprising:

resetting one or more components of the signal chain in response to detecting a security error.

4. The method of claim 1, wherein the set of destination inputs includes at least two verified endpoints for the first component, the method comprising:

at least one second endpoint pair is formed by the set of source outputs and the at least two verified endpoints.

5. The method of claim 1, wherein the set of components includes a third component having at least one of a source output and a destination input, the method further comprising:

receiving a third source-destination pair including the third component into a third authentication block of the third component.

6. The method of claim 5, further comprising:

authenticating at least a second portion of the signal chain based on the third source-destination pair.

7. The method of claim 1, further comprising:

reconfiguring the signal chain during runtime in response to a failure to authenticate the signal chain.

8. The method of claim 1, further comprising:

reconfiguring the signal chain during a startup time in response to a failure to authenticate the signal chain.

9. A system, comprising:

a signal chain formed of a set of components, wherein the set of components includes at least a first component connected with a second component, wherein the first component has a set of source outputs and a first authentication block, and wherein the second signal chain component has a set of destination inputs and a second authentication block;

a signal chain configurator in communication with the first authentication block, wherein the signal chain configurator populates the first authentication block with at least one verified endpoint selected from the set of destination inputs;

a signal chain integrity block in communication with at least the first authentication block and the second authentication block, wherein the signal chain integrity block is configured to identify a source-destination pair from one or more endpoint pairs formed by the at least one verified endpoint and the set of source outputs, and wherein the signal chain integrity block is configured to propagate the source-destination pair to the first authentication block and the second authentication block; and is

Wherein the second authentication block authenticates any received input using the source-destination pair.

10. The system of claim 9, wherein the first authentication block further comprises a first programmable register, and wherein the first programmable register stores the at least one verified endpoint and a corresponding source output.

11. The system of claim 9, wherein the signal chain configurator further comprises a data structure storing the at least one verified endpoint, and wherein the data structure associates each of the at least one verified endpoint with a corresponding source output from the set of source outputs.

12. The system of claim 11, wherein the data structure is an endpoint table.

13. The system of claim 9, wherein the set of destination inputs and the set of source outputs are general purpose input output pins.

14. The system of claim 9, wherein the first component further comprises one or more destination inputs, and wherein the second component further comprises one or more source outputs.

15. The system of claim 9, wherein the set of components includes a third component, and wherein the third component has at least one of a source output and a destination input, and a third authentication block in communication with the signal chain configurator and the signal chain integrity block.

16. The system of claim 9, further comprising a set of drivers configured to program at least the first component with the at least one verified endpoint.

17. The system of claim 16, further comprising a peripheral firewall between the set of drivers and the set of components.

18. The system of claim 9, further comprising a system configuration tool communicatively coupled with the signal chain configurator, wherein the system configuration tool receives user-generated data identifying the at least one authenticated endpoint.

19. The system of claim 9, wherein the bank component includes a comparator configured to receive a bank select signal and a multiplexer signal masking the bank select signal, wherein the multiplexer signal authenticates an output of the comparator.

20. The system of claim 19, wherein the first authentication block and the second authentication block are each configured to generate the multiplexer signal.

Background

The present disclosure relates to dynamically protecting configurable analog signal chains from security breaches.

The internet of things (IOT) is a network that allows interaction and exchange of data via attached devices. Given the increased sensing and processing load of IoT-enabled devices, their security is crucial. Next generation IoT nodes with sensing nodes implement reconfigurable signal chain combinations with multiple analog components, such as analog-to-digital converters (ADCs), digital-to-analog converters (DACs), Comparators (COMP), reference voltages and/or currents (REF), operational amplifiers (OPAMPs), etc., to ensure sensing is enabled to the cloud. While there are methods available for protecting data originating from analog signal chains using next generation advanced reduced instruction set computing machine (ARM) based devices, end nodes still lack the ability to prevent erroneous signal chain formation or unauthorized access to sense/actuator data via analog signal chains. Currently, there is no system or method available for interacting with hardware to perform dynamic runtime integrity checking between signal chain input/outputs or across components/input-output pins in a given system-on-a-chip (SoC).

Fig. 1 generally illustrates a conventional analog signal chain (100) including OPAMP (101), ADC (102), COMP (103), DAC (104), and VRef (105). The COMP (103) receives multiple inputs, namely an input (106) from OPAMP (101), an input (107) from a source external to the SOC, another input (108) from DAC (104), and an input (113) from VRef (105). These connections between the various components of the signal chain (100) are typically wired.

The signal chain (100) is susceptible to intrusion and/or failure if any of the components are damaged. For example, if the signal chain (100) is implemented in an IoT system, where the outputs (109, 110) from COMP (103) are used as control signals to open the door, the validity of the outputs (109, 110) depends on valid undamaged inputs. If the DAC (104) output (108) is compromised, the COMP (103) may inadvertently activate the gates, posing a security risk not only in the analog signal chain, but also in the overall system.

Because the signal chain (100) is pre-wired and fixed, signal chain integrity needs to be established at run-time and/or boot-time. Also, because software reconfigurable signal chains are a emerging diversification in microcontroller space, there is also a need to reconfigure analog signal chains locally and remotely.

Disclosure of Invention

Novel aspects of the present disclosure relate to a method for dynamically authenticating a signal chain formed by a set of components including a first component and a second component. In a signal chain formed by at least a first component connected to a second component, the first component including a set of source outputs and a first authentication block, and the second component including a set of destination inputs and a second authentication block, one or more verified endpoints are received into the first component. The one or more verified endpoints are selected from the set of destination inputs. Each of the one or more verified endpoints is associated with a source output from the set of source outputs to form a set of endpoint pairs, and then, a source-destination pair is identified from the set of endpoint pairs. Propagating the source-destination pair to the first authentication block and the second authentication block. At least a portion of the signal chain is authenticated based on the source-destination pair, and received input is authenticated based on the source-destination pair.

Novel aspects of the present disclosure also relate to a system for dynamically authenticating a signal chain. The system includes a signal chain formed by at least a first component connected to a second component. The first component has a set of source outputs and a first authentication block, and the second signal chain component has a set of destination inputs and a second authentication block. The system also includes a signal chain configurator that populates the first authentication block with at least one verified endpoint from the set of destination inputs. A signal chain integrity block communicatively coupled with the first authentication block and the second authentication block identifies a source-destination pair from one or more endpoint pairs formed by the at least one verified endpoint and the set of source outputs. The signal chain integrity block propagates the source-destination pair to the first authentication block and the second authentication block. The second authentication block authenticates any received input using the source-destination pair.

Drawings

FIG. 1 illustrates a prior art analog signal chain formed from a collection of interconnected analog components.

FIG. 2 illustrates an exemplary analog signal chain formed from a collection of interconnected analog components.

FIG. 3 illustrates an exemplary system having an analog signal chain formed from a collection of analog components.

Fig. 4 depicts an exemplary comparator in an analog signal chain.

Fig. 5 illustrates an exemplary authentication register for an authenticated destination input (authenticated endpoint) in a comparator.

FIG. 6 illustrates an exemplary status register for a valid destination input (verified endpoint) in a comparator.

Fig. 7 depicts an exemplary flow diagram for dynamically authenticating an analog signal chain.

Fig. 8 depicts an exemplary flow diagram for dynamically resetting an analog signal chain.

Detailed Description

As used herein, the term "simulation component" means a simulation design block capable of performing a simulation function. Examples of analog components may include the previously mentioned ADC, DAC, COMP, REF, and OPAMP. The term "analog signal chain" refers to a collection of interconnected analog components and, in some examples, to input-output pins. For example, an analog signal chain may be formed by COMP connected to a DAC. The term "endpoint" refers to an input to a destination component. In an exemplary analog signal chain formed by the connection between the output of COMP (i.e., the source output) to the input of the DAC (i.e., the destination input), the end point is the input to the DAC. "verified endpoint" refers to an endpoint that has been pre-programmed to be valid. In a non-limiting embodiment, the endpoints programmed into the "endpoint table" are verified endpoints selected from a set of destination inputs. Examples of endpoint tables are described in more detail in the following paragraphs. "endpoint pair" refers to the pairing of a verified endpoint with its corresponding source output. In the exemplary signal chain formed by COMP and DAC, the end point pairs are the output of COMP and the input of DAC. The term "source-destination pair" refers to two signal chain components connected by an endpoint pair. The source-destination pair in the foregoing example is a COMP-DAC.

Various embodiments implementing novel aspects of reconfigurable signal chains are described herein. For example, one embodiment provides a hardware mechanism and related method that dynamically authenticates signal chain formation at runtime to ensure that no bugs or incorrect signal chain formation are snooped. Another embodiment provides a hardware mechanism to confirm at runtime that the signal chain component is authorized to negotiate a data exchange. In the event of conflicting or invalid authentications, hardware may be enabled to issue security alerts to the system to take necessary recovery actions. Yet another embodiment provides a hardware mechanism that will confirm at runtime whether the necessary input/output configuration is valid for a signal chain that has a direct connection to a module external to the SoC.

FIG. 2 illustrates generally an analog signal chain in accordance with an illustrative embodiment. The analog signal chain (200) includes a collection of interconnected analog components, namely OPAMP (201), ADC (202), COMP (203), DAC (204), and VRef (205). The connections between the components are shown by arrows pointing in the direction from the source component to the destination component. It should be noted that although fig. 2 depicts analog components, digital circuits and digital components may be included in the signal chain (200). In addition, VRef (205) may be replaced by a reference current IRef.

Each signal chain component includes an authentication block that facilitates authenticating connections between signal chain components and reconfiguring one or more signal chains (or portions of signal chains) in response to detecting a security threat or error condition. In a non-limiting embodiment, the authentication block includes a data register that associates each of the authenticated endpoints with a corresponding source output. An exemplary data register is depicted in fig. 5 below. With particular reference to fig. 2, OPAMP (201) has an authentication block (221), ADC (202) has an authentication block (222), comparator (203) has an authentication block (223), DAC (204) has an authentication block (224), and VRef (205) has an authentication block (225). Each authentication block is communicatively coupled to a signal chain integrity block (210) to allow transmission of output signals (211) and reception of input signals (212). The output signal (211) provides data identifying verified endpoints associated with a given source output of a signal chain component to the signal chain integrity block (210), and the input signal (212) provides information (e.g., source-destination pairs) that can be later used to authenticate the signal and/or reconfigure the signal chain.

In one embodiment, verified endpoint references are programmed into the authentication block with an endpoint table that can be populated by the user. For example, a user may interact with the system configuration tool shown in fig. 3 to identify one or more verified endpoints from a set of destination inputs and any corresponding source inputs. An example of an endpoint table is depicted in table 1, populated with data derived from the system in fig. 3.

Table 1. Exemplary endpoint gauge

Referring to fig. 3, the DAC (314) includes connectors D1, D2, D3, and D4, which may be used as source outputs or destination inputs. Likewise, COMP 316 includes connectors C1, C2, C3, and C4, which may also be used as source outputs or destination inputs. The user deciding that the source output D1 of DAC 314 should be connected to the destination input C3 of COMP 316 fills the first row of the endpoint table, as shown above. By identifying C3 as the destination input of D1, the endpoint is verified. Likewise, the user may specify that the source output D3 of DAC 314 should be connected to the destination input C4 of COMP 316 and modify the endpoint table as appropriate. The process is repeated as necessary for each signal chain component. In table 1, the endpoint pairs are formed between source outputs and destination inputs originating from signal chain components; however, in alternative embodiments, the source output and/or destination input may be General Purpose Input Output (GPIO) pins or fixed function peripheral pins. Additionally, although the endpoint table is described in a table format, other data structures may be implemented.

In the example of detecting a security breach, a user may invalidate one or more endpoints by deleting destination entries corresponding to the security breached simulation block from the endpoint table. The modification of the endpoint table results in the ability to reconfigure and reset at least a portion of the signal chain during runtime, which ensures the integrity of the simulation chain.

The data stored in the endpoint table may be programmed into the various authentication blocks (221-225) by drivers assigned to their respective signal chain components. For example, referring again to fig. 3, the DAC driver (304) may program C3 as the verified end point (i.e., destination input) of the source output D1. In another embodiment, a single linked driver of the SoC may be responsible for programming verified endpoints into the various authentication blocks. Additional details regarding the programming of the authentication block are provided in the discussion of fig. 3-6.

Referring back to fig. 2, the signal chain integrity block (210) obtains verified endpoints from each of the signal chain components through their respective output signals (211) and determines the source output of each, identifying the endpoint pairs. In a non-limiting embodiment, the signal chain integrity block (210) obtains verified endpoint information from registers, an example of which is shown in fig. 5. The signal chain integrity block (210) also identifies source-destination pairs from endpoint pairs and maintains data structures to store those information. Exemplary data structures maintained by the signal chain integrity block (210) are provided in table 2 below.

Table 1. Exemplary Source-destination Pair Table

Source-destination	End point pair
		DAC-COMP	D1-C3,D3-C4
COMP-DAC	C2-D2,C3-D4
		ADC-REF	A1-R3
REF-COMP	R2-C3,R2-C4
		…	…

The signal chain integrity block (210) may then propagate the source-destination pairs throughout the signal chain. In one embodiment, a source-destination pair is selectively transmitted to only two components identified in the source-destination pair; however, in another embodiment, each source-destination pair is transmitted to each signal chain component.

An authentication block in each of the components stores source-destination pairs to identify the respective source output to which its destination input may receive information. When the component receives an input during runtime, the component can determine whether the input is from a valid source and authenticate or reject the input based on the stored source-destination pairs. Thus, in at least one embodiment, the signal chain component authenticates and processes inputs received with the authentication block. The signal chain component may inform the application level or the software level whether an error was encountered during authentication.

Fig. 3 illustrates an extended system (300) for dynamic security authentication of an analog signal chain including the signal chain (200) of fig. 2. The system (300) includes a software layer having a signal chain configurator (301) that maintains an endpoint table (302) that can be populated by a user of a docking system configuration tool (303). In a non-limiting embodiment, the system configuration tool (300) is maintained separate from the software layer, such as in the cloud.

The signal chain configurator (301) programs registers in the authentication block of the signal chain components with the verified end points of each of their respective source outputs. In the example depicted in fig. 3, the signal chain configurator (301) programs each of the individual authentication blocks through its respective driver (304, 305, 306, 307). In at least one example, each of the drivers may be authenticated through a peripheral firewall. A peripheral firewall (310) between the driver and the analog component may further filter and authenticate the programming of the analog component. Authentication at the peripheral firewall provides another level of security to the analog signal chain.

Each of the simulation components may authenticate an input received on one of its destination inputs during runtime based on a source-destination pair formed by verified endpoints received by the component with the corresponding source output. For example, if the input (235) is presented to COMP (203) from DAC (204), the authentication block (223) checks if DAC (204) is the active source component. If the DAC (204) is the active source component, the input is authenticated and processed. In some examples, a source may include multiple inputs and/or an input code. If the received input cannot be authenticated, an error is generated and reported to an application or software layer (not shown). In at least one embodiment, each of the signal chain components authenticates the input signal and maintains signal chain integrity during runtime. In some examples, the signal chain component authenticates the input signal and maintains signal chain integrity during the startup time. In other examples, the signal chain component authenticates the output signal rather than the input signal during the run time or the boot time. A hardware mechanism operating in conjunction with the authentication block may check at runtime whether the input and output components are allowed to negotiate a data exchange. If there is a conflicting or invalid authentication, the hardware (the simulation component) can issue a security alert to the system application and/or software to take a recovery action. In other examples, the authentication block will check at runtime whether the input/output (IO) configuration is valid for an external IO pin in the system that is not directly transmitted or received from another component. In some embodiments, the security alert may be provided locally or via a network remotely located from other nodes in the IoT network.

In another example, the system application and/or software defines an endpoint table to identify real input signals that are allowed to be configured as inputs to the component. In at least one embodiment, the system application and/or software identifies the actual output signals that are allowed to be used by the remaining components in the system. The system applications and/or software may be configured for different end devices using silicon-based devices with reconfiguration capabilities.

Fig. 4 illustrates a comparator (400). The comparator (400) includes channels on the positive and negative terminals. The channel is not selected solely based on the selection signals (402) (IPSEL) and (403) (IMSEL), but is further masked with a MUX signal (401) for authenticating the output (405) of the comparator. If the output (405) is authenticated, the output (405) is processed as needed. Alternatively, if the output (405) cannot be authenticated, an error interrupt condition (404) may be generated and the output (405) may be ignored or discarded. In at least one embodiment, a security error may be detected when an input is received on the destination input during runtime that does not correspond to a valid source output. Upon detection of a security error, an interrupt may be generated. In another example, the analog components may be reset and restored upon detection of a security error. The signal chain configurator may program the authentication block to reconfigure the simulation chain during run time after detecting an error condition. In addition, the signal chain configurator may program the authentication block to reconfigure the analog chain during the boot time.

The MUX signal (401) may be generated internally in the authentication block based on the destination input and the source output associated with the destination input. Any analog signal chain component may generate a MUX signal that multiplexes the received input with an authentication signal, such as the MUX signal (401). Fig. 4 also illustrates a reference voltage generator (406) having an input further multiplexed with the MUX signal (401).

FIG. 5 generally illustrates a COMP register (500) having a plurality of bits programmed to indicate a verified endpoint. For example, bit 6(513) refers to the destination input of the DAC. In one embodiment, if the bit reads logic 0, the destination input is a verified point and the connection from COMP to DAC is allowed. If the bit reads a logic 1, the connection to the DAC is not allowed. Similarly, bits 11(501) and bits 10(502) indicate destination inputs from other signal chain components connected to COMP. The MUX may be further generated based on the bits in the register (500). It should be noted that the authentication of inputs received on analog components can be implemented in several ways with digital logic using registers and logic gates.

Fig. 6 generally illustrates a status register (600) in an authentication block in a comparator component. Referring to both fig. 4 and 6, the SELAUTH2(602) and SELAUTH1(601) bits in the status register (600) read a logic 0 when the comparator channel selection on the positive and negative terminals is authenticated by the MUX signal (401). The SELAUTH2(602) and SELAUTH1(601) bits in the status register read a logic 1 when the comparator channel selections on the positive and negative terminals are not authenticated by the MUX signal (401).

Fig. 7 illustrates a method (700) of dynamically authenticating a signal chain formed by a plurality of analog components. In step (701), the method receives one or more verified endpoints for each source output into each of the analog components. For example, signal chain configurator (301) may load destination inputs from endpoint table (302) into analog components such as DAC (314), ADC (315), COMP (316), and VRef (317).

In step (702), the method proceeds to collect verified endpoints from one or more of the simulated components. The signal chain integrity block (320) may collect destination inputs from all sources. In step (703), the method identifies one or more source-destination pairs based on the verified endpoint. In one embodiment, the signal chain integrity block (320) collects one or more verified endpoints, associates a source output with each of the one or more verified endpoints to form an endpoint pair, and identifies a source-destination pair based on the endpoint pair. The data may be stored in a table maintained by the signal chain integrity block (320), an example of which is shown in table 2.

In step (704), the method propagates one or more source-destination pairs to each of the analog signal chain components. One or more source-destination pairs may be received into an authentication block and stored in a register, such as the register shown in fig. 5 (500). The information stored in the register (500) may be advantageously used to generate a signal such as the MUX signal (401) illustrated in FIG. 4.

Next, in step (705), the method authenticates the signal chain based on one or more source-destination pairs. In step (706), the method authenticates input received in any of the simulation components based on one or more source-destination pairs. For example, the input (238) received from OPAMP (201) in COMP (203) may be authenticated based on register bits in register (500) and status generated in a status register, such as register (600).

Fig. 8 is a flow chart of a method (800) for dynamically resetting a signal chain. In step (801), the method polls a status register, such as a bit in the status register (600). Next, in step (802), the method detects an authentication error. When the register bit indicates an error, e.g., bit (602) reads a 1, then an error is detected. Next, in step 803, the method generates an interrupt for the application and/or software layer. Upon detection of an authentication error in step (802), an interrupt signal (404) may be asserted to alert the application and/or software layers. The method may also detect security breaches and automatically generate an interrupt condition for the CPU when software polling is not involved. The method then continues to step 804 to reset and restore the signal chain. For example, the application layer or software layer may reconfigure the endpoint table and program the authentication block based on the type of error and the interrupt received. It should be noted that the interrupt routine and reset mechanism may be implemented in one of several ways known in the art. The user may also program default conditions configured to automatically reset the endpoint table to the initialization conditions of the overall system and generate an error notification that a security violation has occurred along with a timestamp and associated information of the security attack. The method may propagate the security error to a local application or via a network for recovery action.