"Designing and implementing malicious hardware"
Ed Gerck
edgerck at nma.com
Mon Apr 28 14:04:34 EDT 2008
Leichter, Jerry wrote:
> I suspect the only heavy-weight defense is the same one we use against
> the "Trusting Trust" hook-in-the-compiler attack: Cross-compile on
> as many compilers from as many sources as you can, on the assumption
> that not all compilers contain the same "hook".
>...
> Of course, you'd end up with a machine no faster than your slowest
> chip, and you'd have to worry about the correctness of the glue
> circuitry that compares the results.
Each chip does not have to be 100% independent, and does not have to
be used 100% of the time.
Assuming a random selection of both outputs and chips for testing, and
a finite set of possible outputs, it is possible to calculate what
sampling ratio would provide an adequate confidence level -- a good
guess is 5% sampling.
This should not create a significant impact on average speed, as 95%
of the time the untested samples would not have to wait for
verification (from the slower chips). One could also trust-certify
each chip based on its positive, long term performance -- which could
allow that chip to run with much less sampling, or none at all.
In general, this approach is based on the properties of trust when
viewed in terms of Shannon's IT method, as explained in [*]. Trust is
seen not as a subjective property, but as something that can be
communicated and measured. One of the resulting rules is that trust
cannot be communicated by self-assertions (ie, asking the same chip)
[**]. Trust can be positive (what we call trust), negative (distrust),
and zero (atrust -- there is no trust value associated with the
information, neither trust nor distrust). More in [*].
Cheers,
Ed Gerck
References:
[*] www.nma.com/papers/it-trust-part1.pdf
www.mcwg.org/mcg-mirror/trustdef.htm
[**] Ken's paper title (op. cit.) is, thus, identified to be part of
the very con game described in the paper.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list