[PLUG-TALK] [PLUG] Equation may p0wn your hard drive
Keith Lofstrom
keithl at gate.kl-ic.com
Fri Feb 20 05:30:35 UTC 2015
Keith wrote:
http://spectrum.ieee.org/semiconductors/design/stopping-hardware-trojans-in-their-tracks
On Thu, Feb 19, 2015 at 08:46:57PM -0800, Rigel Hope wrote:
> that'd be nice, but i dont understand how, if trusted chip design
> relies on encryption, something like
> http://www.chesworkshop.org/ches2013/presentations/CHES2013_Session4_3.pdf
> isnt still possible. chicken/egg.
Read the Spectrum article, which proposes making the high tech transistors
at a sophisticated (but insecure) factory, then doing the BEOL (back end
of line) wiring at a lower-tech but more trusted shop. If the bad guys
don't know what the wiring field looks like, they cannot inject device
changes with predictable results.
This is kinda like the old days, when wise custom chip companies made
the chips in one country, packaged them in a second country, and tested
them in a third, to avoid easy counterfeiting. Now it is three different
fabs for different steps in the process (plus more places for packaging,
test, material management, etc.).
I peddle a CMOS cell that our clients use to generate unique, on-chip
bit strings ( http://siidtech.com ). While my partners and I have the
fundamental patent, we use it to protect our clients from trolls, but
rarely attack infringing competitors unless they are true customer-
damaging bastards. Which some are, promising the moon and delivering
crap.
We only offer our cells to protect "cheap" secrets (example, credit
cards with limits under $10K) stored in well-designed hardware.
Some infringing competitors promise to protect million dollar secrets,
national security, etc., typically with the hardware version of
"security by obscurity", gingerbread added to an insecure core.
There is no perfect security. All you can do is hope to make the
cost of an exploit (implementation plus retribution) unaffordably
high, while remembering that accumulating cleverness always wins in
the end. That is why secrets (like credit cards, or passwords, or
supposedly secure hardware) should always have an expiration date.
Keith
--
Keith Lofstrom keithl at keithl.com
More information about the PLUG-talk
mailing list