The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services.FBI Section Chief Raul Rolden.
What keeps us up at night is the dynamic nature of this threat, because by the time we've figured out how to test for these counterfeits, they've figured out how to get around it. It's literally on almost a daily basis they change. The sophistication of the counterfeiting is amazing to us.Vivek Kamath, head of Raytheon's supply chain operations.
The ability to track and trace hardware and associated software provides the highest level of security available for customers who want to ensure that their supply chain is secure. It provides the means to track and trace each component back to the source code/component of a supplier who can then be held accountable.
In addition to the security implications the solution will enable the exploration for enhancement of the economic supply chain via Blockchain-enabled open verification tools to validate FPGA/ASIC designs and programming/part personalization that are increasingly accomplished via foreign fabrication centers.
Integrated Circuit Design, Security, Validation, and InstantiationHistorically, the military has driven rapid technology advancements. However, a new trend has emerged within the Integrated Circuit (IC) design and fabrication market space; technological advances are now often driven by the commercial sector, with IC products largely being COTS (Commercial Of The Shelf) products integrated into military weapons systems. These technological advances include novel communications and control systems, and are attractive due to low consumer cost and fast time to market.
Currently Defense accounts for one percent of the semiconductor development market. This means that most of the components being designed into DOD systems have been developed by the commercial sector. The commercial sector decided long ago that the most economic way to shorten the time to market of an integrated circuit is to split the design into multiple components that can either be designed by different design teams or bought from an intellectual property (IP) vendor. Moreover, many semiconductor companies turned to the fabless model and outsourced their production to overseas factories, test and design houses. As a consequence the supply chain became many times more complex and harder to monitor and control.
Hence, this development gives rise to a new threat: the inability to trust the design from another supplier that is being integrated into a system combined with the inability to fully trust the produced components and their source. Historically, hardware was spread across many single-function ICs on a printed circuit board (PCB) and it was easy to identify possible backdoor threats. A simple analysis of the PCB would identify any ICs that may not/did not belong on the system. However, today’s complex systems are designed with high-density Field Programmable Gate Arrays (FPGA) and microcontroller-based Systems-On-Chip (SOC). With these designs encased in hermetically sealed packaging, it is a difficult and time consuming task to reverse engineer the device and analyze its trustworthiness. Reverse engineering an IC also requires expensive hardware such as fine grinding equipment, scanning electron microscopes, focused ion beam systems, software automation, and people trained to use such equipment.
It is well understood in the design community that finding bugs in electronics is much cheaper during the design phase than it is after the design has been manufactured. If a bug has been found in a device that has already been manufactured, the best-case scenario is to find a workaround that requires only a small software or hardware (e.g. mask) change. The worst-case scenario involves an entire re-spin of the device (fixing the design, testing the fix, regression testing the device, and manufacturing new devices). FPGAs allow for quick turnaround in manufacturing, as you simply load a new bitstream into the FPGA. However, in the IC space, it takes at least several months to manufacture a new IC, assuming access to an IC Fab and no silicon changes were needed. On the other hand, in case silicon needs to be changed, then the required time for manufacturing increases with at least six months. The same holds true for validation of the design. If, during validation, a problem is found, that component must be replaced. This adds time due to design, test and (in the case of non-stocked electronic components) manufacturing. However, if each portion of the design can be validated during the design phase, then trust issues can be identified early enough to avoid expensive re-spins of the system. Each time a design moves down the design/manufacturing cycle and a problem is identified, the cost associated with the design increases by an order of magnitude. As the design and manufacturing cycle has at least six steps, it becomes obvious that validating the security of a design early in the design cycle is imperative. Once the chip has been produced it has to be tracked through the supply chain, to make sure that no fake look-alikes enter the system. Hence unique identifiers of the chips that can not be cloned neither changed are required.
The offering of Guardtime and Intrinsic-ID is in direct response to recent legislation in the US that refers to new risk management processes for Information Assurance and supply chain areas. See below the main points of attention addressed in the legislation (in bold) and our comments:
Reduce vulnerabilities in the system design through system security engineeringComment: security engineering must be accomplished in parallel with the hardware and software development lifecycle. KSI Blockchain Integration into build activities throughout this process assures mutual auditability and traceability to changes without the reliance of a trusted administrator or complicated key management schemes. Additionally, regression test activities become more efficient (especially where legacy code is concerned) as baseline accreditations and software assurance test items can be forensically proven and de-conflicted from new code/hardware.) When the Blockchain technology is combined with SRAM PUF technology, not only the auditability and traceability of the SW is guaranteed but also of the HW and even of the whole system.
Control the quality, configuration, and security of software, firmware, hardware, and systems throughout their lifecycles, including components or subcomponents from secondary sources. Employ protections that manage risk in the supply chain for components or subcomponent products and services (e.g., integrated circuits, field-programmable gate arrays (FPGA), printed circuit boards) when they are identifiable (to the supplier).
Comment: real-time quality control and tamper detection (manipulation) of baseline changes in source code, compiled binaries, and firmware can be verified in real-time for audit/investigative/configuration control actions. Furthermore, the combined offering allows to check for changes in the HW-SW combination.
Detect the occurrence of, reduce the likelihood of, and mitigate the consequences of unknowingly using products containing counterfeit components or malicious functions.
Comment: by integrating critical software functions, configuration files, and software with KSI Blockchain, counterfeit components can be quickly compared and contrasted against known good states and validated in real-time without the reliance on a single trust anchor (such as a human being). Hardware identifiers based on SRAM PUF technology are used to trace back logging information and provide trust in the used components.
Detect vulnerabilities within custom and commodity hardware and software through rigorous test and evaluation capabilities, including developmental, acceptance, and operational testing.
Comment: by integrating critical software functions, configuration files, and software with KSI Blockchain, counterfeit components can be quickly compared and contrasted against known good states and validated in real-time without the reliance on a trust anchor (such as a human being).
Implement tailored acquisition strategies, contract tools, and procurement methods for critical components in applicable systems, to include covered procurement actions.
Comment: test activities can become more efficient implementing Blockchain into their test process for critical components. Once software assurance testing is conducted it essentially becomes a ‘point-in-time assessment’. With KSI, real-time validation of critical components being considered for acquisition is possible once software assurance testing has concluded and is persistent over the life of the asset. Similarly, using SRAM PUF based hardware identifiers, hardware components can be validated in combination with the KSI.
For more information please see the attached white-paper.