NSF Awards $10 Million To Protect America's Processors 48
aarondubrow writes "The National Science Foundation and the Semiconductor Research Corporation announced nine research awards to 10 universities totaling nearly $4 million under a joint program focused on secure, trustworthy, assured and resilient semiconductors and systems. The awards support the development of new strategies, methods and tools at the circuit, architecture and system levels, to decrease the likelihood of unintended behavior or access; increase resistance and resilience to tampering; and improve the ability to provide authentication throughout the supply chain and in the field. "The processes and tools used to design and manufacture semiconductors ensure that the resulting product does what it is supposed to do. However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious," said Keith Marzullo, division director of NSF's Computer and Network Systems Division.
Microsoft drops Trustworthy Computing Group (Score:3)
http://redmondmag.com/articles... [redmondmag.com]
Make of these what you will.
Re: (Score:3)
It gets better when eh NSA offers 400 million to open up the backdoors, and hand out the access keys.
Re: (Score:3)
With resistance to tampering it also means that it's harder to find intentional backdoors placed by your favorite agency.
Re: (Score:1)
It has everything to do with trusting the silicon. It is possible to embed covert hardware code into a chip, that activates at zero day, or from a satellite signal, or from a plane that flies by. For instance, in the US more and more of the CNC's and injection molding machines and the like, even for military supply chains, are increasingly manufactured in foreign countries like Germany or Japan, and it's not like we're ever gonna go to war with these countries, right? That'd be nice. But in case the shit hi
Let's Outsource It!! (Score:2)
Conversely it can be done in the US by 1H-B visa holders from India.
Or it could be done by IBM in Zurich or India. If IBM gets a piece of the action, it could be done anywhere. Remember, they no longer report employment by country, so no matter where they say the work was done, big chunks of it cold be done anywhere on the planet.
Remember that Zuckerberg and Microsoft are t
Re:Let's Outsource It!! (Score:5, Interesting)
That's uh, kind of the point of this research. Verifying black box chip functionality is a huge concern for the military, who has a standing policy to use consumer hardware off-the-shelf where possible. With chips made in China and all. Beyond that, there's a big problem in just regular supply runs with counterfeit chips.
Re: (Score:3)
To make my sarcasm more understandable to you, I'm trying to point out that in the US, even national security is sacrificed to the profit motive. This is one of the reasons that US defense (and other critical infrastructure firms) keep being hacked by Chinese and Russian based groups. They don't spend enough money on security because "profit".
The US Chamber of Commerce, one of the biggest and most influential lobbying groups, has successfully shut down any legislat
Where's the rest of the money coming from? (Score:3)
Does four million get even one item on this list?
(from the article)
Combating integrated circuit counterfeiting using secure chip odometers--Carnegie Mellon University
Intellectual Property (IP) Trust-A comprehensive framework for IP integrity validation--Case Western Reserve University and University of Florida
Design of low-cost, memory-based security primitives and techniques for high-volume products--University of Connecticut
Trojan detection and diagnosis in mixed-signal systems using on-the-fly learned, pre-computed and side channel tests--Georgia Institute of Technology
Metric and CAD for differential power analysis (DPA) resistance--Iowa State University
Design of secure and anti-counterfeit integrated circuits--University of Minnesota
Hardware authentication through high-capacity, physical unclonable functions (PUF)-based secret key generation and lattice coding--University of Texas at Austin
Fault-attack awareness using microprocessor enhancements--Virginia Tec
Invariant carrying machine for hardware assurance--Northwestern University
So of course this whole project will need to attract international support from all those other governments grateful that the US role protects the integrity of critical hardware worldwide.
After all, those same governments will probably send their very brightest and most dedicated graduate students and post-docs to the institutions conducting the research.
Maybe they're already supporting it and working on it.
Re: (Score:1)
Which is why a few transistor 80286 for DOS is such a great idea for the military. It can do a lot on the peripheral systems, and the simpler the design, the less its capabilities, the less the security risks. Centrally or in secure locations you can run complex mainframes, that you can inspect and manage the heck out of, but low cost, discardability and security out in the field beg for simplicity in design.
Re: (Score:2)
and the simpler the design, the less its capabilities, the less the security risks
Yup.
Is it mad optimism to suspect that some tiny fraction of the motivation here might not be military but a concern for the integrity of electronic elections?
We're sorry, but ... (Score:2)
... what with the state of education in the US, not only do we not have people with computer talent, we no longer have computer people capable of hacking.
The good news is that all Americans have been removed from the no-fly list.
The bad news is that we're screwed.
The path to higher profits... (Score:2)
Is in outsourcing.... nothing bad can happen if you have everything made in China....
Cory Doctorow had a nice talk on the subject (Score:2)
See his blog post on the War on General Computing [craphound.com]. (warning: video lasts more than five minutes, but it is worth seeing.)
Just another "build me a device that can do anything, except for (<insert feature here>)" action.
Re: (Score:2)
Guns don't kill people, bullets do. (Score:2)
"However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious,"
Like "off label" usage of prescriptions, using a frozen leg of lamb as a murder weapon, or spending money to fund all things evil and destructive? My point is that a product can and will do anything else, such as behaving in ways that people decide and control, be it malicious or mundane. Nobel invented dynamite, should he get his own prize for breakthroughs in bank vaults? This really sounds like a load of toad.
Re: (Score:2)
Re: (Score:2)
Not according to universities.
Wow, a whole $10 million? (Score:5, Insightful)
I remember watching some show on a river in Africa that never makes it to the coast. Every spring it starts as a rushing torrent, but as the thaw ends and the water spreads out it evaporates and sinks into the land, leaving a huge inland river delta.
On can construct a similar imaginary money river for this story. $10 million? It will never see hardware, that money will disappear into the bureaucracy like water into the African plains.
To put this in perspective, $10 million is what, one hour of iPhone sales? That's how important the NSF considers this?
Re: (Score:2)
Re: (Score:3)
I suspect Intel spent $10M on chip R&D while my coffee was brewing.
Re: (Score:2)
And that's only part of it.
A set of basic masks for an IC costs around $1M. Very basic 2-metal process that is.
Each mask is around $100K to produce, which is why in semiconductor design, there are piles of unconnected transistors and gates that are fabbed into every IC so small revisions can be done by changing the metal layers of the mask only - minimizing the number of mask changes minimizes a huge expense.
A modern IC generally is at l
Re: (Score:1)
Except none of this research is making production processors. Do you have any concept of how university research works? Do you think MIT is spitting out production quality processors? No, because it's idiotic to spend a hundred million dollars to develop something that will never be used or make money. They instead design algorithms, test in simulation, and publish. Then, in five years, Intel puts it in the 5nm Running Bear Lake or whatever they are going to call it.
Re:Wow, a whole $10 million? (Score:4, Insightful)
Re: (Score:1)
It'll cost as much as it takes for the politicians who sponsored it to become wealthy enough to retire.
Re: (Score:1)
The show was probably about the Okavango River [wikipedia.org] which empties into the Okavango Delta in Botswana.
You're right, none of the water makes it to any sea or ocean. Some of it simply evaporates. However, the majority of the water allows for a thriving ecosystem to exist in an otherwise arid region.
Include this into your analogy as you see fit.
$10m or $4m? (Score:2)
One of the first things they are going to research is how to properly add numbers.
Wow! $4 Million Dollars! (Score:2)
Dr. Evil would be proud.
Do you guys realize how minor this money is? Do you know how much research costs? Basically, this is an amount that would run one decent sized lab at a research university for maybe a year. If these are the grants we're crowing about... well, I guess it's a start.
$10M a year for five years might be reasonable to get some traction on the problem. All this will do is fund a few papers which will probably disappear. That grad students and post docs will survive another year, I guess, so
Trustworthy ... (Score:2)
How do I know that some microcode hasn't been added to the CPU/GPU I've got plugged into my motherboard? Is there some sort of independant auditing process in place? Not that this would do any good. Customers of components like FPGAs have demanded methods to secure their device code from illicit inspection and copying. And any audit process would be indistinguishable from such inspection. So that isn' going to happen.
If you buy a router, how can you be sure that a
this will do no good, unless... (Score:2)
Great will they be built here? (Score:1)
Do the research here then send the details so they can be subverted... Oops I meant manufactured in China. That'll do a lot of good.