36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware
'
How Betrusted Aims to Close the Hardware TOCTOU Gap
While open source is necessary for trustable hardware, it is far from
sufficient. This is because “hashing” hardware – verifying its
construction down to the transistor level – is typically a destructive
process, so trust in hardware is a massive time-of-check/time-of-use
(TOCTOU) problem. This talk helps us understand the nature of the TOCTOU
problem by providing a brief overview of the supply chain security
problem and various classes of hardware implants. We then shift gears to
talk about ways to potentially close the TOCTOU gap, concluding with a
curated set of verifiable components that we are sharing as an open
source mobile communications platform – a kind of combination hardware
and software distribution – that we hope can be useful for developing
and deploying all manner of open platforms that require a higher level
of trust and security.
The inconvenient truth is that open source hardware is precisely as
trustworthy as closed source hardware. The availability of design source
only enables us to agree that the designer’s intent can be trusted and
is likely correct, but there is no essential link between the hardware
design source and the piece of hardware on your desk. Thus while open
source is necessary for trustable hardware, it is far from sufficient.
This is quite opposite from the case of open source software thanks to
projects like Reproducible Builds, where binaries can be loaded
in-memory and cryptographically verified and independently reproduced to
ensure a match to the complete and corresponding source of a particular
build prior to execution, thus establishing a robust link between the
executable and the source.
Unfortunately, “hashing” hardware – verifying its construction down to
the transistor level – is typically a destructive process, so trust in
hardware is a massive time-of-check/time-of-use (TOCTOU) problem. Even
if you thoroughly inspect the design source, the factory could modify
the design. Even if you audit the factory, the courier delivering the
hardware to your desk could insert an implant. Even if you carried the
hardware from the factory to your desk, an “evil maid” could modify your
machine. This creates an existential crisis for trust – how can we know
our secrets are safe if the very hardware we use to compute them could
be readily tainted?
This talk addresses the elephant in the room by helping us understand
the nature of the TOCTOU problem by providing a brief overview of the
supply chain security problem and various classes of hardware implants.
We then shift gears to talk about ways to potentially close the TOCTOU
gap. When thinking about hardening a system against supply chain
attacks, every component – from the CPU to the keyboard to the LCD –
must be considered in order to defend against implanted screen grabbers
and key loggers. At every level, a trade-off exists between complexity
and the feasibility of non-destructive end-user verification with
minimal tooling: a system simple enough to be readily verified will not
have the equivalent compute power or features of a smartphone.[ect, ect]
'
See CCC main for other talks: