Security needs to be incorporated starting from product concept throughout the entire lifecycle. As new AI applications and use cases emerge, devices that run these applications need to be capable of adapting to an evolving threat landscape. To address the high-grade protection requirements, security needs to be multi-faceted and “baked-in” from the edge devices incorporating neural network processing system-on-chips (SoCs), right through to the applications that run on them and carry their data to the cloud.
At the outset, system designers adding security to their AI product must consider a few security enablers that are foundational functions that belong in the vast majority of AI products, including AI, to protect all phases of operation: offline, during power up, and at runtime, including during communication with other devices or the cloud. Establishing the integrity of the system is essential to creating trust that the system is behaving as intended.
Secure bootstrap, an example of a foundational security function, establishes that the software or firmware of the product is intact (“has integrity”). Integrity assures that when the product is coming out of reset, it is doing what its manufacturer intended – and not something a hacker has altered. Secure bootstrap systems use cryptographic signatures on the firmware to determine their authenticity. While predominantly firmware, secure bootstrap systems can take advantage of hardware features such as cryptographic accelerators and even hardware-based secure bootstrap engines to achieve higher security and faster boot times. Flexibility for secure boot schemes is maximized by using public key signing algorithms with a chain of trust traceable to the firmware provider. Public key signing algorithms can allow the code signing authority to be replaced by revoking and reissuing the signing keys if the keys are ever compromised. The essential feature that security hinges on is that the root public key is protected by the secure bootstrap system and cannot be altered. Protecting the public key in hardware ensures that the root of trust identity can be established and is unforgeable.
The best encryption algorithms can be compromised if the keys are not protected with key management, another foundational security function. For high-grade protection, the secret key material should reside inside a hardware root of trust. Permissions and policies in the hardware root of trust enforce that application layer clients can manage the keys only indirectly through well-defined application programming interfaces (APIs). Continued protection of the secret keys relies on authenticated importing of keys and wrapping any exported keys. An example of a common key management API for embedded hardware secure modules (HSM) is the PKCS#11 interface, which provides functions to manage policies, permissions, and use of keys.
A third foundational function relates to secure updates. Whether in the cloud or at the edge, AI applications will continue to get more sophisticated and data and models will need to be updated continuously, in real time. The process of distributing new models securely needs to be protected with end-to-end security. Hence it is essential that products can be updated in a trusted way to fix bugs, close vulnerabilities, and evolve product functionality. A flexible secure update function can even be used to allow post-consumer enablement of optional features of hardware or firmware.
After addressing foundational security issues, designers must consider how to product the data and coefficients in their AI systems. Many neural network applications operate on audio, still images or video streams, and other real-time data. These large data sets can often have significant privacy concerns associated with them so protecting large data in memory, such as DRAM memory, or stored locally on disk or flash memory systems, is essential. High bandwidth memory encryption (usually AES based) backed by strong key management solutions is required. Similarly, models can be protected through encryption and authentication, backed by strong key management systems enabled by hardware root of trust.
To ensure that communications between edge devices and the cloud are secured and authentic, designers use protocols that incorporate mutual identification and authentication, for example client authenticated Transport Layer Protocol (TLS). The TLS session handshake performs identification and authentication, and if successful the result is a mutually agreed shared session key to allow secure, authenticated data communication between systems. A hardware root of trust can ensure the security of credentials used to complete identification and authentication, as well as the confidentiality and authenticity of the data itself. Communication with the cloud will require high bandwidth in many instances. As AI processing moves to the edge, high-performance security requirements are expected to propagate there as well, including the need for additional authentication, to prevent the inputs to the neural network from being tampered with, and to ensure that AI training models have not been tampered with.