Researchers have created a chip that deploys ionic memristor technology to solve the digital problem of security with an analog memory hardware solution.
While we embrace the way the Internet of Things already is making our lives more streamlined and convenient, the cybersecurity risk posed by millions of wirelessly connected gadgets, devices, and appliances remains a huge concern. Even single, targeted attacks can result in major damage; when cybercriminals control and manipulate several nodes in a network, the potential for destruction increases.
“The idea is that it’s hard to predict, and because it’s hard to predict, it’s hard to reproduce…”
Dmitri Strukov, a professor of electrical and computer engineering at the University of California, Santa Barbara, is working to address the latter. He and his team are looking to put an extra layer of security on the growing number of internet- and Bluetooth-enabled devices with technology that aims to prevent cloning, the practice by which hackers replicate nodes in a network and then use them to launch attacks from within the network.
“You can think of it as a black box,” says Strukov. Due to its nature, the chip is physically unclonable, rendering the device invulnerable to hijacking, counterfeiting, or replication by cyber criminals.
Key to this technology is the memristor, or memory resistor—an electrical resistance switch that can “remember” its state of resistance based on its history of applied voltage and current. Not only can memristors can change their outputs in response to their histories, but each memristor, due to the physical structure of its material, also is unique in its response to applied voltage and current. Therefore, a circuit made of memristors results in a black box of sorts, as Strukov called it, with outputs extremely difficult to predict based on the inputs.
“The idea is that it’s hard to predict, and because it’s hard to predict, it’s hard to reproduce,” Strukov says. The multitude of possible inputs can result in at least as many outputs—the more memristors, the more possibilities. Running each would take more time than an attacker may reasonably have to clone one device, let alone a network of them.
The use of memristors in today’s cybersecurity is especially significant in light of machine learning-enabled hacking, in which artificial intelligence technology is trained to “learn” and model inputs and outputs, then predict the next sequence based on its model. With machine learning, an attacker doesn’t even need to know what exactly is occurring as the computer is trained on a series of inputs and outputs of a system.
“For instance, if you have 2 million outputs and the attacker sees 10,000 or 20,000 of these outputs, he can, based on that, train a model that can copy the system afterwards,” says Hussein Nili, the paper’s lead author. The memristive black box can circumvent this method of attack because it makes the relationship between inputs and outputs look random enough to the outside world even as the circuits’ internal mechanisms are repeatable enough to be reliable.
“It has to look random, but it should also be deterministic,” he says.
In addition to the variability embedded in these memristor circuits, other features include high throughput, speed, and economy of energy use, making them an ideal component in the tight energy budget of the Internet of Things. Then there is the fact that this is already a semi-practical technology that can both secure device identity and encrypt information.
“If we scale it a little bit further, it’s going to be hardware which could be, in many metrics, the state-of-the-art,” Strukov says.
As they continue to refine this technology, Strukov and his colleagues are investigating whether there will be any drifts in the characteristics over time. They also are developing “strong” security paths that require larger memristive circuits and additional techniques (suitable for sensitive military equipment or highly classified information), and “weak” paths geared more toward consumer electronics and everyday gadgets—situations in which it would likely not be worth an attacker’s time to spend hours or days hacking into a device.