Schneier on Security
A blog covering security and security technology.
« Cryptographic Blunders Revealed by Adobe's Password Leak |
| Microsoft Retiring SHA-1 in 2016 »
November 13, 2013
Another QUANTUMINSERT Attack Example
Der Spiegel is reporting that the GCHQ used QUANTUMINSERT to direct users to fake LinkedIn and Slashdot pages run by -- this code name is not in the article -- FOXACID servers. There's not a lot technically new in the article, but we do get some information about popularity and jargon.
According to other secret documents, Quantum is an extremely sophisticated exploitation tool developed by the NSA and comes in various versions. The Quantum Insert method used with Belgacom is especially popular among British and US spies. It was also used by GCHQ to infiltrate the computer network of OPEC's Vienna headquarters.
The injection attempts are known internally as "shots," and they have apparently been relatively successful, especially the LinkedIn version. "For LinkedIn the success rate per shot is looking to be greater than 50 percent," states a 2012 document.
Slashdot has reacted to the story.
I wrote about QUANTUMINSERT, and the whole infection process, here. We have a list of "implants" that the NSA uses to "exfiltrate" information here.
Posted on November 13, 2013 at 6:46 AM
• 51 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It is "Spiegel", not "Speigel". ;-)
Congrats just on getting documentation!
It's far more sophisticated than merely "bricking," a mobile device.
Exploiting web browsers appers popular with the theives be they paid by their ill gotten gains or if paid by a government extorting ill gotten taxes from citizens.
Perhaps it's time we rethink the way browsers work.
Linkedin/Slashdot were for user identification.
You identify your target, and you parse the HTML enough to determine if its your target visiting the page (both have lots of such information). That allows you to identify the user's cookies, so a subsequent request you then packet inject your redirection to a FOXACID exploit server.
It allows you to nail your victim when they are not at work, or to nail a specific victim (rather than everybody) within the work network. It will even work behind a NAT/proxy, since you have the distinct user's cookies to attack with.
@ Roland Giersig
"It is "Spiegel", not "Speigel". ;-)"
Maybe "Spei..." (say "spy") was a Freudian slip.
Or not. :-)
A provocative thought:
Snowden at some point said that he could have wiretapped anyone's e-mails, including the president's personal account.
Now imagine he also had access to QUANTUMINSERT and some way or another managed to successfully use it against some of his NSA colleagues to compromise their systems, gain elevated access privileges and siphon off documents and information he normally would never have been able to get at. How totally wicked would that have been ? As well as a nice alternative for the bizarre story that he talked 20-25 people into handing him their password.
One difference between linkedin and slashdot is that the first forces https and the second forces http. Of course the server using https isn't much help against malicious link insertion unless the browser knows to force https, but some do.
LinkedIn uses HTTPS for login, but once you are browsing itself, its back to plain old HTTP.
Any chance of studying one of these FOXACID machines in the wild? It would be interesting to see if there are anything that could be used to detect one (e.g. cert weirdness, response time anomalies, etc.).
Perhaps if tell-tale malware could be detected after the fact. Can Belgacom or OPEC be persuaded to donate compromised machines to researchers?
What I would love to see is a way to do permissions and isolation on the subroutine level. Macros, scripts, anything that's potentially untrusted should have kernel-managed isolation turned on with just a property on the function. Not sure how this would actually work in practice, but if we ever want to put a serious damper in exploits, I think it's a necessary step. This is on top of application-specific permissions; no reason my browser needs to be able to read my gpg keyrings.
NW: thanks for the correction.
@ Clive @ Dirk
The same goes for cookies, and turn OFF cookies and delete all cookies after closing Gmail. My late brother-in-law had an opinion of cookies that was at once spot-on and hilarious. "Did a sales person in a traditional store ever observe you closely and continuously, scribble cryptic entries on Post-Its, and stick each Post-It on your body? How rude would that be?! Same with cookies; store 'em on your own hard drive!"
My *nix systems have no Java. Nor do they have Flash. I *read* news, interviews, opinions, stories, etc., on the web; the only moving pictures I watch are on the television. It chaps my butt to follow links to a story, only to find a video, not a transcript.
@ Nicholas Weaver
Excellent article and good analysis of their capabilities. The only thing I'd dispute is the conclusion you reached about encryption being the solution. The actual problem is that the protocols/libraries/standards that power most of the Internet are vulnerable to TLA's on multiple angles. Add to that the centralization in protocols like DNS and the CA's. Changing the situation will require dealing with all of that.
However, I've always advocated removing the low hanging fruit for attackers across the board as the first step to more secure computers. Better encryption and authentication of existing protocols can certainly help. Cookies are another problem that should be replaced, damage limited, or phased out. All native code executables interpreting web activity should be armored against code injection at a minimum (e.g. Native Client SFI) and at a maximum be designed for isolation of different domains/components (e.g. OP-style browsers). Application-level security in-page a la NoScript. Finally, the platforms themselves should have both a trustworthy boot process and be able to use it for recovery media in event of suspected compromise.
These are the most minimal requirements for safe[r] online activity. Not a single existing option meets all of them far as I know. Yet, without addressing their major areas of attack, all the crypto in the world won't save you when they rootkit the computer via unsafe protocols or code in the system.
apparently Charles Stross is upset that they're stealing all of the good code names for his next book in The Laundry series
"If you have Java or ActiveX enabled, you're doing internet wrong."
Anura, others, I do realize that you're the very most knowledgeable and select of internet users. Even I qualify as above average for using Noscript and toggling a few "always delete history" buttons on every browser I use.
However, if you aren't thinking universally in terms of better security for all users -- for making privacy and security de facto and normative for the vast majority...........
then you're doing the internet wrong.
Flippant contempt for present normative practices is common among you techno-elite, and utterly besides the point. Java-enabled is the way most people function on the net, day in and day out. It's forced upon them.
I.e. In the U.S., it's impossible to use mandated middle school websites without it. If my daughter wants to complete homework assignments, I must disable damned near ever sort of protection on my browsers. Sometimes I can't even find every change I need to make in order to be naked enough to please these sorts of websites. Commercial sites are nearly as bad, and critically important for functional life if you're a working parent.
The basic usage paradigms need to change. Chit-chat about the "lameness" of the average user is a distraction. Techno-Brahmin huffing about his hapless stupidity isn't productive, isn't right, and it's so common you hardly see the damage it does to your own perspectives.
Your implicit disrespect for them is perfectly analogous to the disrespect afforded you by the security state elite. Do you really like your particular location on life's totem pole?
I shouldn't post here; all I do is scold and I have no technical expertise. But, this crap edifice we all function with was built by a subculture that made (and makes) some severe mistakes about humanity, dignity, and the worth of the average guy.
Fluffy: hear, hear!
Just to be clear, I'm not saying JS is a necessary part of a semantic and asynchronous web; just that it is the only universal solution today, which is why it is virtually required to navigate any modern website.
As a developer, I frankly refuse to waste my time catering to the tiny fraction of a tiny fraction of users who run plugins like NoScript: they simply aren't worth my time. And anyway, that time would be better spent advocating for and developing secure technologies that replace insecure technologies without sacrificing functionality.
ActiveX is even less common, as it only works on Internet Explorer. I don't think I've ran across a site making use of that in over five years; however, IE still has it enabled by default (although it requires a prompt).
It's also a good idea to disable the Acrobat plugin; PDFs can be downloaded and prompted to load, instead of loaded automatically in the browser. It's just one more point of attack for no gain; I've had it disabled for 5-10 years now, since in the past it would simply crash my browser.
A while back I mentioned the disappearance of one of Bruce's books (I purchased more than two in the last five years. Today Monty Pythons' Holy Grail went AWOL with a neat error message saying the video had expired, and, summarily removed from my device. But, the backstory is starting to move forward. The process is being reniced and moved to the foreground. Event delivery across the comms can be expected. I'm forewarned and am exercising diligence and awareness.
What about running the browser in a VM / sandbox? Presumably that would somewhat mitigate these attacks. Especially if you spin the VM up and down every time.
I know I'm simultaneously using 4 physically different devices when web browsing just to try and limit the information flow. But Fluffy raises an interesting question about what good is this level of personal security on my part, when the vast majority of web users run without any protections what-so-ever. Even if they try to use Noscript they'll turn it off eventually because some web sites (like Gmail, I believe) will not function at all with NoScript running.
This is precisely why I was saying email encryption is useless because most mail recipients are not running computers that are even remotely secure. If they are "interesting" or their friends are "interesting", then they are compromised its that simple. Whatever mail I encrypt leaks from their machines just as surely as if I had left it as plain text (probably quicker because encryption nurtures the false hope of real message security)
The perverse side of this problem is that the more cyber secure I become the more I personally stand out from the crowd and more resources, at both corporate and state levels, are devoted to compensate for the lack of data flowing into their databases from their normal sources.
Flippant contempt for present normative practices is common among you techno-elite, and utterly besides the point.
I wouldn't call it contempt. The simple fact of the matter is that these technologies - however ubiquitous and normative - are among the most common internet attack vectors and are actively exploited not just by state actors, but just as well by script kiddies, black hats and organised crime. Some of us may at times convey this message in less than optimal ways, but it doesn't quite change the reality of its content and the risks associated with unmitigated use of thereof.
Ultimately it is up to you. You can take the red pill or the blue pill, but what you choose is your choice.
+1 on most of that comment esp relying on the physical security instead of software-based alternatives
" Even if they try to use Noscript they'll turn it off eventually because some web sites (like Gmail, I believe) will not function at all with NoScript running. "
That's not how NoScript works. When you need scripts, you have several options:
1. Allow one or more specific domains to execute a script on a page.
2. Allow all of a page's scripts.
3. Allow scripts globally (marked as "dangerous" in parenthesis).
Most of the time a script heavy web site will work if you say allow all this page. Worst case, which I can't recall running into, you can temporarily allow all scripts, then afterwards turn that off. People who want to put more effort into it can selectively enable scripts for certain web sites until they hit the sweet spot where the content displays, but nothing else runs. IIRC, there are even site-specific profiles and a community around making them. It can also be combined with things like sandboxing (Sandboxie is well-tested), CFI, virtualization, etc. Finally, the location to do all the common actions is an icon next to the address bar.
All in all, it's a well-designed solution that's easy to get plenty of benefit from even for lay users. A friend of mine on their support forums said he's taught plenty of lay people to use the more advanced features. I can only imagine that "allow this site" is even easier. So, it's certainly a nice solution for web application layer security at the client that let's people make their own tradeoffs.
Hell, I'm using it right now. :)
The biggest problem is with web-developers not using it for development. Get basic functionality down first and foremost, then add optional fancy JS wherever you like.
If absolutely necessary to get the job done, please serve your scripts from a singular static domain!
"If absolutely necessary to get the job done, please serve your scripts from a singular static domain!"
I feel your frustration. Worst part of advanced NoScript usage is figuring out what combination to turn on or off. It's also aggravating to see scripts from over half a dozen domains I've never heard of to access a piece of content with no embedded rich functionality. (grits teeth)
1. They're the personal property of the creator.
2. Their standards of operation respond to demand.
The current situation is simply a product of site owners' freedom and the public's demand. Until the public demands (with their wallets) security, we won't see the market place provide it. Until the govt mandates a baseline, we won't see companies reluctantly provide it.
--You may like this: --http://barracudalabs.com/2013/11/yesterday-on-cracked-com-malware/
--Yeah, you'll get your functionality and a nice virus. It'll enjoy the functionality of your pc.
I'm just sick and tired of bloated garbage I don't want on my pc, pre-loaded crap, way too many peripherals I never use. Lately, I'm finding myself attracted to graphing calculators...
Dick I mean Nick P (joke)
It's a "Fat Bastard" "Infinite Loop" problem we find ourselves in. We don't demand new alternatives b/c they don't exist, and we don't make new alternatives b/c there's no demand for them. Kill it w/ fire 'cuz it sucks.
It's the family that has problems with Noscript I find it very easy to use, they find it incomprehensible and an unnecessary limitation, different stroke ..different folks I guess. However it does create an ongoing problem for me to keep their computing resources completely separate from mine. Naturally they think I'm just being plain mean when I refuse to let them use one of my PC's and refuse to let any of their USB memory stick anywhere near my stuff.
Good Opsec is hard work. My wife also seems to believe that no harm has been done if the computer didnt actually self destruct when the USB stick is inserted.
"It's the family that has problems with Noscript I find it very easy to use, they find it incomprehensible and an unnecessary limitation, different stroke ..different folks I guess."
"Good Opsec is hard work. My wife also seems to believe that no harm has been done if the computer didnt actually self destruct when the USB stick is inserted. "
You have a wife casual about security and maintain OPSEC/INFOSEC on four devices. That must be fun. ;) Btw, unless it's confidential, what's your spread of use cases or functions across the four? (eg why four) My old paranoid setup had one that was very isolated, one for benign apps, and one for risky stuff with a KVM switch to add ease of use. All were hardened to varying degrees with lots of work into a clean backup process. Worked well enough.
"Dick I mean Nick P (joke)"
Ha. Playing devil's advocate I can come off that way but someone's gotta show their di... err, "willingness to question the status quo of a particular debate" every once in a while.
" And if you call it a "solution", it's a hacky fragile solution; that will end up wasting more time than it's worth."
@ The Message...
What's knowing the internal details of a particular service/site have to do with creating an alternative with comparable content or features? Nothing. If markets do anything, it's incentivize people to create compelling alternatives to the No 1 in any particular category. If none are showing up or succeeding, that usually says something about demand: nonexistent or very weak.
re point 1: they can reach consensus's and critical masses though. Enough people care about something, someone will offer it for fame or fortune. It's a pattern that keeps repeating itself esp in a market economy. Govt intervention, mainly I.P. enforcement, is the largest potential obstacle here for tech imho.
"2. (see point #1) in at least USA the situation is as follows:
I'm going to ignore the fact that, in those situations, the public isn't the market: the advertisers are. The public is merely "the product" (source: Schneier). I'm not a fan of that particular choice of the majority. At least, I'd have preferred more safeguards or legal protections. Yet, even with advertising models, the users as a whole have ways to get site security or non-JS into play:
2. Specifically use sites that take a safer approach and let them know that.
3. Pay sites that put premium effort into security. (Lavabit's model.)
4. Push lawmakers to pass some kind of law regarding it, such as liability for site owner in event of JS-based threats.
Now it's s*** we must live with. :(
@Figureitout - I feel your pain man and totally agree.
* My bandwidth, my electricity, my compute power. Therefore I'll decide who it's working for. If someone's business model depends on using my compute power beyond an HTML-compliant browser to deliver their solution then that's going to be a problem for them, not for me.
Probably web-designers rely more on higher-generation solutions that often inherently require JS for lower level functionality that /they/ depend on. The more layers the more ingrained the requirements.
For server farms it's a godsend; make the poor schmuck on the remote serve up the compute power needed to do gimmicky eye-candy things that they are probably no happier for seeing.
If a website requires JS, it won't load on my system since Squid won't even /load/ JS pages except for very limited exceptions.
Anyway as many here have said, or at least not disagreed with, JS is pants and Java is for 'phones. HTML worked fine for years until the hucks turned up and started stinking the web out with pages of virtually zero original content. I was gifted a subscription to W*r*d many years ago. In the first issue I counted seven pages of actual content (which in itself was thinly veiled advertising for a product) and the remaining 200+ pages were ads or fluff. The web is the same now and JS has made it possible to distract people from this fact.
NSA and GCHQ are beginning to sound like a vast criminal enterprise.
In the name of security they claim an inalienable right to secrets and deem everything they do is "legal".
What they do is legal simply because they say it's legal.
At least 99% of the legislators involved in cyber law have no clue what they read or vote on. Also, laws are written by the agencies, lobbyists or defense contractors.
Brit spies appear to have it even easier. Brits seem to wallow in fear, secrets and spying.
It is likely any new law in the USA will make matters worse. The title may be "STOP NSA SPYING on AMERICANS", but somewhere in the 600+ pages of legal gobbledygook will be express permissions, exemptions, exceptions and double talk allowing them to do whatever they want, "legally".
I think it's very sad our country which once was the light of liberty and freedom has declared cyber war on every living person on earth.
It's a war with no chance of victory or peace. It is what it is.
"We have met the enemy and he is us."
It's the problem with law. Ideally a legal statement would be as concise and brief as possible.
However the briefer it is the more likely the concision is to be undermined by interpretation.
Objectivity gives way to subjectivity and relativism gains ground over fundamentals.
At least, this has been my experience.
Re: your family using your 'puters.
How about putting a HD dock in one system and supplying a HD in a tray, for family use. Put your HD in a second tray and store it in a safe place.
That kind of setup works well here. When someone buggers his system (HD) - which does happen, with stunning regularity - nobody else is affected. This modus was a natural result of my desire to keep my own multiple OS's firewalled from each other. (My greatest fear was that a Windows would touch some other file or file system in an icky way.)
"In the first issue I counted seven pages of actual content (which in itself was thinly veiled advertising for a product) and the remaining 200+ pages were ads or fluff. The web is the same now and JS has made it possible to distract people from this fact."
Very well said. It's why I thought Consumer Reports was so refreshing: pay a little over 20 bucks, then get useful content regularly for a year instead of tons of ads. New Scientist is another one packed with content although I think it does have ads. Can't recall cuz it's been a while. Pop Sci had plenty of ads but also had about as many pages of content so it wasn't so bad for me. That's a tradeoff I tend to accept as turning a page or hitting "x" to get to something worthwhile isn't so much trouble.
(Wired, the "men's journal," etc. Don't get me started on those whopping encyclopedia's of advertising pieces. F*** that.)
So, in light of my previous comments, I don't read or use any site that overloads me with ads. Magazines either. I have alternatives for most of them. The one exception is YouTube. There's so much useful/enjoyable content on there and their ad system is so thorough that I usually have to just suck it up. Course, if I am hit with a forced ad, I don't quit being a rebel there: I mute it, look away from the screen and count until it's probably gone. Or do something else in another tab/app. So, at least they had no effect on me other than inconvenience.
Why Four personal Pc's?:
Basically its what I have available at home. When travelling I reduce it to three devices. Two pads and one laptop.
At home I have one laptop that is for general web browsing and some garbage email accounts. the main hardening is visualization and sandboxing. Basically make sure that nothing on the computer is what it seems to be when viewed from the outside.
I have two laptops devoted to private / business email and other forms of personally identifiable communications. I do this because I'm very concerned with limiting the whole picture. TLA's and commercial entities want to develop as comprehensive a picture as possible so being a mean SOB I'm actively denying them. I also think it is the only safe way to avoid phishing attacks, especially from malicious business insiders. These 2 devices are only ever operated through VPN's which I've setup and control.
I have one old desktop, very minimally configured and hardened, I devote this device to anything I think could be risky. For this device the bios cant be changed and I have images of the HD which I regularly restore. If in doubt I boot it from a live CD.
All real work that I do at home is on an isolated computer system, IMHO the less I say about that system the better its security.
"How about putting a HD dock in one system and supplying a HD in a tray, for family use. Put your HD in a second tray and store it in a safe place."
Ahhh NO I dont think that'll cut it. I guess it all depends on how active and ongoing a target you personally are. I wouldn't think I'm that interesting a target for persistent attacks, but experience definitely suggests otherwise.
--Sorry you feel my pain...my poor computers are zombies and they get treated very badly...They want to be put out of their misery. I want to build my own (I found a model that I want to try. and I know you like layouts, so pretty) to do calculations but I don't even know where to get trusted chips.
Not only are they stealing your bandwidth, cpu cycles, and power. Maybe your *data* (duh) and even worse using your machine to commit atrocities and plant false evidence on your pc.
If you want to read Wired magazine, just go to a shop that sells them, there's a "megastore" that kills all local business so I feel no guilt going to read the magazine off the bookshelf in the store then placing it back when I'm done. I even took out all the "subscriber cards" and trashed them. Get a subscription to QST, since you showed some interest in radio; I would give them to you but we're internet strangers. There are some neat articles, but even they have quite a lot of ads...at the end. What's messed up is they're trying to sell factory made "perfect digital" radios, when what made amateur radio so great is people literally built a radio from scratch.
--While I agree w/ some of your points, please don't label us (or me at least) as "techno elites". First off everyone has weaknesses so the only way to mitigate some is to not use them. There's a difference between demanding and getting respect for yourself and thinking you're better than someone. I've made friends w/ people all over the world, I don't care where you're from, what you look like; so long as you have basic respect and manners to me.
I'm so f'in poor now though so I can't really help all the homeless people and charity organizations pan-handling for money. It really makes me mad that a company like Lowe's hardware store would ask every customer if it wants to donate a dollar "for the children" when they'll take credit for donating that money. While rich people don't give their money to people who are dying everywhere.
Interesting. All seems reasonable and wise. Quick question: how do you keep the BIOS from being altered? I remember older computers had jumpers and BIOS settings to that effect. However, with the proliferation of software/firmware control of hardware, I was curious what your opinion is about BIOS protection in modern chips (UEFI and non-UEFI).
Is there an easy way to maintain BIOS integrity that isn't software bypassable? The ROM Primary BIOS + Flash secondary BIOS trick in chromebooks is a nice concept that I'm a fan of. But, if we're talking the kind of systems most people will be acquiring (that aren't chromebooks), what are the options for protecting the BIOS? Or easy route to robust BIOS/firmware in a special purpose, embedded device?
I figure you've had to solve this problem more than once in your line of work and might have interesting ideas, some which can be made public. ;)
(Note: this is actually relevant to the blog thread as all the software protection in the world won't help if they can attack the BIOS. The BIOS is a root of trust imho that, if strong, can be leveraged to great effect even without a TPM or secure coprocessor. They're just too damned vulnerable on most systems so if you have a secure OS, NSA might have an attack below it. Most BIOS protection is also ad hoc, although there is an NIST guide on it now.)
@Nick P - had to laugh at the "look away from the screen until they're probably over" - I do that too; refuse to even give the sublims a chance.
The ASAP has a very sweet layout - for those of us who like circuits that can be soldered by humans if required. Reminiscent of the Superbrain and the UK-101. The thing about TTL logic is those chips are getting scarce and that drives up the cost of such projects. If speed is not an issue, some of those things can be replaced by microcontrollers masquerading as them with suitable code.
Funnily enough, I'm working on my own project in a similar vein. I'm building a sort of CPU running my variant of FORTH in dense bytecode atop a cluster of microcontrollers. SPI networking between the uCUs and flexible task assignment. It'll never break any speed records but uCs are about $1 apiece and flat out at 16 MIPS use about 10mA each. They need virtually no support circuitry and can be proto-boarded easily onto the bus. They'll all run the same FORTH primitive kernel cut in asm by hand and implement a bignum stack. I'm waiting for important parts to get the main together and begin unit testing. If I don't let the magic smoke out and it all works I'll drop a detail link for interested parties.
I did this; (1) to investigate other forms of CPU that are more independently parallel (2) for the fun of it and (3) for a simple system that has no hidden variables. The last reason is (adjusts shiny hat) a result of hanging out here with you lot.
I agree with you that building things from scratch is what makes the whole project worthwhile, tremendously interesting and fun, and deeply educational. My knowledge of electronics is pretty poor but it's improving because of this and other mini projects. Modern devices are becoming the exclusive domain of fab-plants which, whilst it makes them cheap, teaches us DIY types nothing useful and makes them very black-boxy which I for one find unsettling. Admittedly uCs are a bit black-boxy but the older ones, I beleive, can be trusted (Microchip's 16F and 18F lines in this case).
I just noticed a strange phenomenon when I loaded this:
Specifically, my browser shows a broken lock icon, indicating that the Secure HTTP session... is not.
I always pull up the main page first. I load the Comments of any thread in a new tab. The main page of this blog has always come up Secure, and I have never noticed that a Comments page failed to come up Secure.
Could be my browser, I guess; it does have some warts.
I've noticed this recently too. Lynx through squid used to work - now it warns me that it can't verify the CA and bombs unless I unset https_proxy.
@ Nick P,
Is there an easy way to maintain BIOS integrity that isn't software bypassable?
It depends on the chip... an old style EPROM requires a high voltage generator (12-15v) to put write pulses on the Vpp line (pin 1 on 28pin JEDEC pin out) without which it cannot be re-programed. Most other xROMs require a write/ line to be actioned taken low pin 27 on 28pin JEDEC) a small amount of PCB surgury with scalple or hot iron will often break the connection.
On my older boards I've taken the ROMs off and soldered turned pin sockets in and put the ROMs back with the appropriate pin disabled.
"how do you keep the BIOS from being altered?"
Clive beat me to the answer, on older EPROM's and Flash there is always a VPP pin (usually goes to something like 12V) if you remove / cut this pin than it is impossible for the device to be reprogrammed. This high voltage is needed to induce Fowler-Nordhime tunneling, which is the form of electron tunneling fundamental to the operation of all EPROM, EEPROM devices. Flash devices normally use a different mechanism called "Hot Hole or Hot Electron" injection but this also requires a High voltage, usually greater than 6 volts. these days this voltage is normally generated on chip with a circuit called a voltage multiplier. This consists of two or three external Capacitors that are charged to the highest available voltage and then successively added to double, triple or achieve even higher multiples of the original voltage. These caps are always external (for any serious amount of non volatile memory) because it takes a lot of power to program a Flash.
If you remove one side of the switching Cap or simply ground it then the multiplier circuit can never generate the required voltage so it can never reprogram.
--Sounds awesome! I'm an interested party for a link sometime. I'll look for you on hackaday. :)
@ Clive, RobertT
Thanks for the tips. Now, I either need an old chip, a college EE major to help me rig a newer one, or something custom. Swell options. ;)
Whilst you can get 74xx chips including the 74181 the price you are going to pay is disproportianate to their functionality and speed.
For instance you can replace the 74181 functionality entirely with a RAM chip you pre-load with a table and get considerably higher clock speed. Or replace it with a small (PIC) microprocessor or a Programable Logic array like a 22V10.
You should however implement micro code of a "standard" CPU you can get an emulator for that runs under *nix or Windoze.
You could do as Charles Moore did and thats use a DSP chip to implemement a Forth engine, you thus need to only to microcode up 29 basic instructions that makes it an X-RISC processor (ie eXtreamly Reduced Instruction Set)
If you do decide to do a "go it alone" design the bit you need to optomise beyond all others is the Adder Carry to give minimum delay, there are various "fast adders" and surprisingly it is still an active research field especialy when considered as part of a multiplier.
And for some reason they never realy talk about multiplier types in tutorial books... They are all integer multipliers plain and simple with two N-bit inputs and one 2N-bit output that needs to be mapped onto an N-bit bus. If the 2N LSB maps directly to the bus LSB it's a standard interger multiplier with the assumed "point" to the right of all LSBs with all numbers less than 2^N. However if the 2N MSB maps to directly to the MSB of the bus then the point is assumed to be to the left of all the MSBs and therefore all numbers are less than 1. If the mapping is somewhere in between as is seen in some DSPs it's a real pain. The choice of which way to map is very dependent on what you intend to do with the ALU, if mainly scientific calcs then go for the radix point to be left of the MSB as this makes floating point calcs and normalisation easy, however it makes crypto long integer math harder which favours the radix point to the right of the LSB. You could of course use a MUX (or barrel shifter) to make the ALU do either however it uses a lot of gates and much worse adds gate delay times that slow your basic clock rate down. Which is why some ALUs use two N-Bit registers and other logic to catch the full 2N-bit output and let the programer decide which half they want to drag onto the N-bit bus or use for branching conditions.
Which brings up another issue to use conditional branches/jumps or conditional skips and jumps. The norm is conditional short branches and long jumps, however this makes the microcode more complex, increases the gate count and slows both instruction decode and gate propergation time slowing the clock rate and thus though put. Conditional skips are very fast and use little microcode or gates and are easy to pipline and thus increase throughput, however from the programers perspective they use backward logic which causes bugs to arise due to faulty thinking (ie branch on less than is not skip on greater than, but greater than or equal to...).
You also have to chose what extra instructions to include, the 6502 had BCD instructions and others had bit set/clear instructions as well as branching on bit state. Some specialised computers used by the intel community had not just parity instructions but also voting instructions.
It's upto you but you need to have in mind what you want the CPU to do prior to putting pencil to paper.
Then there are architectural descisions involving not just pipelining but also how instructions are decoded from my experiance the best way to go is a very minimal highly optomised RISC core which is then wrapped in a CISC outer layer that you can change at will. Further make the core Harvard based, von Neuman sharing of busses needs only be done at the outer bus interface layer. Whilst it appears Harvard would use twice the gates, it actually does not due to the swings and roundabouts nature of instruction decoding. Further Harvard if done properly can not only double the throughput at the same clock rate it also reduces inline gate count allowing the clock to be faster thus increasing throughput further. Also for some types of system (DSP / embedded) a full Harvard architecture offers a significant increase in security if used properly.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.