I attended a meeting today on the DARPA SHIELD program where I learned a lot about the problems of assuring the integrity of electronic hardware. Counterfeit parts are a major concern for the U. S. military and a growing concern for companies. The SHIELD program will develop a tag with a unique ID that can be attached to all sorts of electronic components. The tag chip will be designed to
resist efforts to examine or alter it.
Counterfeit parts are widespread and come from a variety of sources. False designs that contain Easter eggs designed to activate at a later date and cause problem are just one of the concerns. A lot of fake chips are recycled from old, recycled electronics; ironically, much of that recycled gear comes from U. S. consumers. Other fakes were made by the manufacturer but didn't pass all their tests for performance, temperature, etc. The entities that sell these chips range from mom-and-pop operations to sophisticated criminal organizations to countries. Some of the counterfeiters just want to make money while others are intent on harming the United States.
Interestingly, DARPA thinks that some of the most serious threat comes not from the high-end components but from simpler, commodity parts. If your Ethernet chip goes bad, it can cause just as much problems as a bad high-performance CPU. And intermittent failures, which are common in counterfeits, are harder to debug and trace to the part causing the problem.
Electronic parts have very long, complex supply chains. All it takes is one slip-up anywhere along that path to allow bad parts to slip into the sytsem. Paperwork on the sources of components isn't enough. The SHIELD program could make a big change in how we think about manufacturing and using electronics.
Showing posts with label assurance. Show all posts
Showing posts with label assurance. Show all posts
Friday, March 14, 2014
Friday, March 7, 2014
DARPA SHIELD Program
DARPA has announced a new program on hardware assurance; here is the DARPA press release. The SAE AS5553A standard, which we have discussed before in this blog, defines documentation procedures used to keep track of hardware provenance. SHIELD is a much more automated approach to this problem.
The SHIELD program aims at designing a small chip that can be affixed on components. A handheld device can then be used interrogate the device and verify that the tag identifies the proper device. The device is designed to be cheap---less than a penny---and to be resistant to tampering.
DARPA lists several thread models that are of interest to them: recycled components sold as new; unauthorized overproduction of authorized components; substandard components sold as new; parts remarked with higher reliability or newer manufacturing dates; out-and-out copies; parts that are repackaged and destined for unauthorized applications.
The SHIELD program aims at designing a small chip that can be affixed on components. A handheld device can then be used interrogate the device and verify that the tag identifies the proper device. The device is designed to be cheap---less than a penny---and to be resistant to tampering.
DARPA lists several thread models that are of interest to them: recycled components sold as new; unauthorized overproduction of authorized components; substandard components sold as new; parts remarked with higher reliability or newer manufacturing dates; out-and-out copies; parts that are repackaged and destined for unauthorized applications.
Sunday, October 13, 2013
Hardware Assurance
The term hardware assurance has been circulating for the past couple of years. This term refers to assurance that the hardware you have is the hardware you think you paid for. Counterfeit electronic hardware has become a big problem for the military---they pay big money for equipment that turns out to be fraudulent and non-functional. Companies are increasingly concerned about the effects of counterfeit hardware on their bottom line---not only do they lose the sale to the counterfeit, but they often have to pick up the warranty costs for those counterfeits, too.
At the most basic level, hardware assurance ensures that components have not been substituted. One way to provide such assurance is through supply chain management: auditing, custody chain tracking, etc. SAE has developed a standard, AS5553A, for the documentation and procedures to be followed to ensure a reliable supply of components from suppliers. That standard, of course, needs to be followed not just by your supplier but by their suppliers as well.
Programmable memories are, of course, an easy way to attack programmable devices. Andrew Appel of Princeton University has demonstrated the ease with which ROMs on New Jersey's voting machines can be substituted, allowing the voting machine to be reprogrammed.
A more subtle version of this problem rears its head in the semiconductor world. If you give a set of masks to a semiconductor manufacturer, how do you know that they manufactured the circuit you gave them? Not only may they have manufactured junk, but they may have introduced Trojan horses into your hardware that they can exploit at later dates. Various techniques have been developed to deal with this problem. Netlists can be used as watermarks to verify that the design has not been changed.
Yet another subtlety comes into play for embedded devices---how do you know that a device in the field hasn't been swapped? Even if a device leaves your plant with the correct hardware, it may have been compromised after installation. Physically unclonable functions (PUFs) can be used to generate a unique signature for each device that can be checked in the field.
At the most basic level, hardware assurance ensures that components have not been substituted. One way to provide such assurance is through supply chain management: auditing, custody chain tracking, etc. SAE has developed a standard, AS5553A, for the documentation and procedures to be followed to ensure a reliable supply of components from suppliers. That standard, of course, needs to be followed not just by your supplier but by their suppliers as well.
Programmable memories are, of course, an easy way to attack programmable devices. Andrew Appel of Princeton University has demonstrated the ease with which ROMs on New Jersey's voting machines can be substituted, allowing the voting machine to be reprogrammed.
A more subtle version of this problem rears its head in the semiconductor world. If you give a set of masks to a semiconductor manufacturer, how do you know that they manufactured the circuit you gave them? Not only may they have manufactured junk, but they may have introduced Trojan horses into your hardware that they can exploit at later dates. Various techniques have been developed to deal with this problem. Netlists can be used as watermarks to verify that the design has not been changed.
Yet another subtlety comes into play for embedded devices---how do you know that a device in the field hasn't been swapped? Even if a device leaves your plant with the correct hardware, it may have been compromised after installation. Physically unclonable functions (PUFs) can be used to generate a unique signature for each device that can be checked in the field.
Subscribe to:
Posts (Atom)