A common security wisdom says that your system is as secure as its weakest link. Unlike random bugs and errors in information systems, malicious attackers will carefully choose the weakest point so that they attack cause maximum damage or maximize their bounty.
We challenge that by showing how to build high-security systems from untrusted components, including hardware chips. Our approach is simple. We just make sure the bad guys have to show rock, paper, and scissors all at the same time.
The talk title: Trojan-tolerant Hardware & Supply Chain Security in Practice.
The current consensus within the security industry is that high-assurance systems cannot tolerate the presence of compromised hardware components. In this talk, we challenge this perception and demonstrate how trusted, high-assurance hardware can be built from untrusted and potentially malicious components.
The majority of IC vendors outsource the fabrication of their designs to facilities overseas, and rely on post-fabrication tests to weed out deficient chips. However, such tests are not effective against: 1) subtle unintentional errors (e.g., malfunctioning RNGs) and 2) malicious circuitry (e.g., stealthy Hardware Trojans). Such errors are very hard to detect and require constant upgrades of expensive forensics equipment, which contradicts the motives of fabrication outsourcing.
In this session, we introduce a high-level architecture that can tolerate multiple, malicious hardware components, and outline a new approach in hardware compromises risk management. We first demo our backdoor-tolerant Hardware Security Module built from low-cost commercial off-the-shelf components, benchmark its performance, and delve into its internals. We then explain the importance of “component diversification” and “non-overlapping supply chains”, and finally discuss how “mutual distrust” can be exploited to further reduce the capabilities of the adversaries.