stanford cybersecurity january 2009
DESCRIPTION
A presentation given by Peter Levin, Consulting Professor at Stanford University.TRANSCRIPT
Peter L. Levin, January 2009
CybersecurityPeter L. Levin
Consulting ProfessorJanuary 2009
Zanio
Peter L. Levin, January 2009
Evolution of GPS Service
• Availability (sparse constellation)• Accuracy (selective availability)• Integrity (aviation)• Coverage (urban canyons and indoors)• Security (location based authentication)
Copied without shame or remorse, but with attribution, from Per Enge
Peter L. Levin, January 2009
The Problem Statement
“The United States is already engaged in a ‘low-intensity’ cyber conflict”.
- General Wesley K. Clark, former SACEUR
“[And] cannot kill or capture its way to victory”.- Robert M. Gates, Secretary of Defense
Peter L. Levin, January 2009
“It is a battle we are loosing”
Peter L. Levin, January 2009
The Black Swan Effect
• We won’t be more secure in a day– Planning takes time, energy, focus– Competing priorities– False perceptions
• current safety• difficulty of raising the bar
• . . . but we can be crippled in seconds– Insidious attacks can come from anywhere
• the network, the software, or the hardware
– Catastrophic results if we’re left unprotected
Peter L. Levin, January 2009
Public Awareness Has Changed
Peter L. Levin, January 2009
“several Georgian state computers [were] under external control”
So they moved websites to Google:
Peter L. Levin, January 2009
P2P uses as much as 60% of Internet Bandwidth
P2P networks offer an easy way to disguise illegitimate payloads using sophisticated protocols, and can divert network traffic to arbitrary ports
From Spector 360
Peter L. Levin, January 2009
Machine Readable Travel Documents
Peter L. Levin, January 2009
Cracked in ten seconds for $10,000
Peter L. Levin, January 2009
Real-world reliability vs digital security reliability • Seven nines: aircraft landing• Six nines: mature manufacturing qa• Five nines: PSTN availability (after 100 years)• Four nines: domestic electric energy transmission• Three nines: maximum possible desktop uptime• Two nines: credit-card number protection• One nine: internet traffic not broadly related to attack• Zero nines: “[a]bility of stock antivirus to find new malware”
Security is a Subset of Reliability*
*from the article of that name by Geer and Conway, IEEE Security and Privacy, Dec 08
Peter L. Levin, January 2009
The (Cyber)Security Marketplace
Networks and Systems
Software Applications and Operating SystemsTampering, license manipulation, theft
Denial of service, port scans, worms, exploits
Hardware HW Trojans, design manipulation, counterfeits
Information Infrastructure Security
Zanio
Peter L. Levin, January 2009
Hardware Sabotage
“The most monumental non-nuclear explosion ever seen from space” was reportedly caused by the US in a Soviet commercial gas pipeline.
An Israeli bombing raid on a suspected Syrian nuclear facility was (allegedly!) due to a “kill switch” that turned off surveillance radar.
Peter L. Levin, January 2009
Hardware’s Axis of Evil
Enforce Policy(insure proper behavior)
DRM HW Assurance
Accidental Errors
Nefarious Intent
Observe Function(detect misbehavior)
Peter L. Levin, January 2009
Counterfeits are Expensive and Dangerous• Exploit complexity• Difficult to detect• Compromise security
Source:
Unclassified FBI Report, January 2008
Peter L. Levin, January 2009
Chip-Making in Four Easy Steps
RTL & Layout Design
Mask Creation
Logic Circuit Design
FunctionSpecification
Thanks to Grace and Sherman for this slide
Peter L. Levin, January 2009
Chip-Level Hardware Assurance
Graphic from Sally Adee, IEEE Spectrum
authenticity and provenance
mechanical compromise
add extra wiresadd extra transistors
Peter L. Levin, January 2009
“Your Hands Can’t Hit What Your Eyes Can’t See”
DAFCA provides on-chip, at-speed, in-system visibility
Peter L. Levin, January 2009
Integrate Verification and Validation
• Tap the lines “pre-silicon”– Software only – Platform/technology agnostic– Automated
• Observe behavior “post-silicon”– Configure, operate, and control FSM– Don’t slow down, don’t stop– No extra pins, no special libraries
• React– Injection, isolation, remediation
Core X
Core Y
Peter L. Levin, January 2009
Why At-Speed Observability Matters
• Example: 5 billion transaction “boot scenario”– SW simulation @ 0.01 MHz = 6 days*– HW acceleration @ 0.1MHz = 14 hours*– At-speed @ 500 MHz = 10 seconds
* Even these are 10x faster than IBM’s benchmark
Peter L. Levin, January 2009
Two Examples
By “hardware assurance” we mean:1) Is the chip authentic?2) Is the chip functioning properly?
• Until now, most of the attention has been focused on “static” views
Peter L. Levin, January 2009
Detect Malfunction
• Invisible to functional logic• Invisible to application software• Impossible to understand by inspection
– It’s just gates and flops, no hard macros– It’s configured on the fly
Peter L. Levin, January 2009
An Instrumented GPS Chip
TraceRAM
(1k x 128)
Transaction Engine
PTE
TRACER
LCD
_MU
X
CB
1_M
UX
alig
ner
4-fifo
grp_lcd_out
grp_lcd_fifo_rd2
grp_lcd_fifo_rd1
grp_lcd_fifo_rd3
grp_lcd_rgb
grp_arm_i
grp_arm_r_0
grp_usb_slv
grp_usb_mstr
125
125125
FIN
AL_
SP
N
125
CB
2_M
UX
125
CB3_MUX
125
125
GP_IN
2 valid bit
valid bit
Observation Bus = 125 (probe grp) + 2 Valid + 1 Time Stamp = 128 bit1 valid for domain crossing of 10Mhz to 166MHz1 valid for domain crossing of 83KHz to 166MHz
SPN NETWORK
166MHz
10MHz
1 valid
bit
1 valid bit
125
CDC_LCD
166MHz
166MHz
CAPSTIM
alig
ner Trace
RAM
(1k x 128)
Peter L. Levin, January 2009
The Road Aheadab
stra
ctio
n
DetectedViolation
O
c
D
observe
characterize
detect
Software objects, pointers, calls, register writes
Bus cycles, arbitration policies, event sequencing
On-Chipcycle protocols
and timing
observe
characterize
detect
T T T T T T T T T
T T T T T
T T T T T
Bus Protocol AssertionsStatic Mode Selects
Exception GeneratorsMemory Checkers
Performance Monitors
Traffic GeneratorsEvent Sequencing
Boot-up System Software Application Software
Peter L. Levin, January 2009
Device Authenticity/Anti-Counterfeit
• Counterfeit chips are easy to make, hard to detect• Enormous economic incentive
– most hackers are driven by money
• Attractive targets for adversaries– banks, hospitals, military installations
Our customers need an inexpensive and reliable way to detect counterfeit devices in the field
Peter L. Levin, January 2009
An Anti-Counterfeit Architecture
• DAFCA – on-chip instrumentation• eScrypt – embedded security
– SiDense (CMOS embedded flash)
• Zanio – highly secure positioning and time
Peter L. Levin, January 2009
On-Chip, At-Speed, In-System Instrumentation
Tap the lines pre-silicon•Conveniently, easily, ubiquitously•Formal/model check the result
Observe behavior at speed•Assertions, triggers, breakpoints•Performance monitoring
React•Injection, remediation, isolation
Core X
Core Y
Step One: “Talk to me”
Peter L. Levin, January 2009
Establish An Encrypted Channel
On-Chip PKI•Extremely compact
Unique •Based on random mfg variability
Secure•Store keys in protected cmos flash
Step Two: “Talk securely to me”
Peter L. Levin, January 2009
Embed A Secret
Unique GPS token•One-time insertion
Prove authenticity• Dynamic challenge-response protocol• Can be implemented in-field
Two factor security•Device fingerprint (PUF)•Device pedigree (location and time)
Step Three: “Tell me a secret”
Zanio
Peter L. Levin, January 2009
Use GPS to Ensure Authenticity
• Easy to use – no interruption of design implementation flow
• No special pins, no special libraries, no performance degradation
• On-chip, at-speed, in-system – can be accessed remotely, and in-field
Set an extremely high bar for hackers
Peter L. Levin, January 2009
Secure Channel, Secret Message
• DAFCA + eScrypt + Zanio enables– Access to the Zanio core from the device, from the
operating system, or from the host system– Message passing to and from the device without
fear of compromise– A “plug compatible” device that can easily replace
or substitute unprotected chips
Peter L. Levin, January 2009
Location Security
• Application areas– Public health and safety– Tolling and mobile asset tracking– Networked asset protection (including data)– National security applications (including MTDs)– Financial infrastructure (laundering and fraud)
How do you know you are where you think you are?How do I know that you are where you say you are?
Peter L. Levin, January 2009
Next Generation Cybersecurity
• Augment the GNSS utility to– Defeat spoofing– Overcome jamming
• Security for GNSS -> Security from GNSS
Peter L. Levin, January 2009
Conclusion
• Cybersecurity is a priority of the new administration
• Approximately $30 billion in new programs• Hardware assurance will be a prominent part
of the technical roadmap• Anti-tamper and anti-counterfeit solutions are
available today