Schneier on Security

Nick P • December 6, 2013 10:38 PM

@ Figureitout

It's a decent idea. Last time I discussed the concept here, I mentioned that the trusted path/device could be something like one of the old electronic organizers. They were easily pocketed, cheap, easy to type on, and had decent sized screens. Seems like an ideal starting point for an authentication device so I included it in my "transaction appliance" for banking.

Such a simple hardware base (maybe with updated CPU) would be much safer than one with all the buzzword technologies.

Nick P • December 8, 2013 10:44 AM

@ figureitout

"Also those efforts take heat off other projects as agents target it."

I gotta give you props for thinking of that angle. I totally forgot about that as a strategy in security-critical development. Yeah, maybe the riff raff should keep using riff raff tech. Such distractions could buy real engineers time to get their products ready for the battle testing that follows deployment.

@ mesrik

Thanks for the presentation.

@ audio air gap jumping malware link

We get it. That research has been posted here about half a dozen times. Unless I missed another half dozen.

Nick P • December 8, 2013 3:07 PM

@ Adjuvant

Man I haven't used a mailing list in a while. I'm not sure how to send a message to that specific group or if it would go to all groups in "discussion." Anyway, send them a link to this comment if you like. (Link next to my name is for the specific comment.) The following is directed at Almesberger's group although there are readers here that might find it useful or debatable.

--BEGIN REPLY--

As I read the Sep 6 proposal, I must ask one thing:

What are you protecting against?

Every security feature or countermeasure is supposed to aid in dealing with one or more threats. The main threat to authentication on a PC is that it's controlled by malware. This is how most passwords are taken. Subthreats included keyloggers, screen capture, redirection of web traffic, etc. You could say one is the strategy and others are tactics. A trustworthy authentication scheme must succeed even if the user's PC or applications are malicious. There's strong and weak techniques for this.

The hardware safe proposal requires the user (or device) to enter authentication data into a potentially compromised machine. If the user does it, a keylogger still catches it. If the device does it, the opponents adjust their tactics to its input method. The untrustworthy endpoint possessing the sensitive data is still the problem. So, my question could be rephrased as "If it doesn't protect passwords from malware, what security problem(s) are you solving with your password safe device?"

My last foray into this came up with some minimal requirements and a specific proposal:
https://www.schneier.com/blog/archives/2011/06/court_ruling_on.html#c552667

(Note: the comment references a "prior" or "former" solution that someone was griping about. It was just some crap I threw together for fun and should be disregarded. The actual proposal is the one in the linked comment itself.)

Quite a discussion followed with many proposals and comments that your project might find useful. My specialty is high assurance security engineering, particularly prevention. So, it followed that my proposal was a security appliance with minimal TCB, careful software/hardware interfaces, trusted path to prevent spoofing, and all critical operations onboard. I left out other beneficial details as they're trade secrets of mine. "tommy" pushed LiveCD's while coming up with solutions to certain deficiencies. Mark Currie invented a clever USB device that offloaded SSL authentication so that endpoint didn't control SSL session or see passwords. Clive and RobertT also contributed to the evolving designs.

My so-called transaction appliance (needs a new name) had more benefits than its security claims. It was general purpose enough to support many applications: signing, passwords, verifications, machine root of trust, etc. An investment into the base platform could be re-used in the future, saving lots of money. The other is incremental assurance. I learned this concept from 1990's MLS research where they determined a truly secure system was difficult to build up front. So, they decided to build something pretty good out of carefully interfaced parts, then incrementally increase the assurance of the parts over time. This lets them make money off of it which can be put back into assurance building. This strategy can benefit non-profit activities as well.

Regardless of methods, the important thing is your project learns the lessons of the past and achieves the security goal. The security goal is to authenticate on one or more machines controlled by the enemy. The discussion I linked to had several proposals on that. The portable password safe device doesn't accomplish this. If anything, it's most like a password storage and backup device with certain protections in event of theft. Existing software password safe's accomplish that, though, when combined with good host protection measures.

So, is there a goal I'm missing or this this project just for the heck of it?

--END REPLY--

Nick P • December 8, 2013 4:10 PM

Semiconductor process technology points in history and what was made with them.

Hey, RobertT, I think your opinions on this might be valuable. We've discussed fabs before. The good ones are ridiculously expensive. I figure, though, that older style fabs should be cheaper to build and I previously cited obsolete chips for subversion resistance. So, how to fab those or new safer designs without dropping several billion dollars down?

My guess was fabs using obsolete process node technology. I pulled the list below off wikipedia looking at process node levels and what was made with them to assess usefulness. Even 1-1.5 micron are useful for a number of security- or safety-critical applications, albeit very resource tight. 250nm seems very useful for a bit advanced stuff, esp if using dedicated chips for certain things. This is despite one being old and one being old as hell.

So, the question is where can I find out how much each of these type of fabs might cost today and if you recommended just one which would you recommend? Maybe with what strategy to employ? (Or would it be not on my list entirely?)

The List

3 micron (1975): Z80 ZIlog like 8-bit chips.

1.5 micron (1982): included Intel 286 (16-bit, memory managed).

1 micron (1985): included Intel 386 32-bit with virtual memory.

800 nm (1989): included Intel 486, microSPARC, and a 60+MHz Pentium.

600 nm (1994): included first PPC chip and Intel Pentium up to 100Mhz.

350 nm (1995): Pentium 2's, an 8 core microcontroller, and Nintendo 64's chip.

Note: We've hit a point where the process node mades chips good for gaming, desktop OS's, embedded, etc. Might be a good lowest common denominator process node point.

250 nm (1997): DEC Alpha, P2 MMX, P3, Dreamcast SuperH CPU + GPU, Playstation 2's first "Emotion Engine" MIPS chip.

Note: Ok, in one process node step we have *much* more interesting chips getting developed. PS2 and PIII were used in multimedia. So this step is still quite usable.

Skipping 180nm as its just a speed boost according to their list.

130 nm (2002): PowerPC 7447, GameCube's IBM Gekko, Pentium 4 Northwood, Intel Xeon Gallatin, VIA C3 x86, AMD Athlon XP, AMD Opteron Sledgehammer, Russian Elbrus SPARC, Vortex 86SX.

I'm stopping there because my current guess is we're getting close to billion dollar fabs if we go further down. Might have already hit that point. So, 130nm is still highly usable for a variety of performing chips and designs. The micron level fabs should be able to do embedded style chips, including those in motherboards. I noticed yesterday that the PS2 did it's IO on a dedicated processor which was actually a Playstation 1 processor with clock rate tuned way down. That's the kind of smart reuse that homegrown stuff will have to do to keep costs down.

Clive, RobertT, Wael, what you think of all this?

Interesting Sidenote

I accidentally discovered the Nokia 9000 communicator while I was at it. I hadn't started using mobile phones at the time so this is my first time seeing it. Used an AMD 486 chip at 33MHz, 4MB for OS, 4MB for apps/data, had a huge screen, front numerical keypad, flip open keyboard, & supported many useful apps. Despite its bulk and ugliness, I think I just found a new addition to my list of "could make a decent start for subversion free cell phone." I'd swap out certain parts. Maybe even spin it into a trusted coprocessor for a variety of applications, optionally making calls.

I wonder how hard it would be to make a knockoff of that which is cheap to produce and might use those safer chips I've been mentioning. Hell, the simple JOP java processor is three times faster!

Nick P • December 8, 2013 4:28 PM

EDIT to add:

One of my old fab recommendations was just to try to buy an existing one. I'm still looking through resources trying to guess what a modern price would be. Well, I noticed Tower Semiconductor got a 95nm plant from Micron Tech Inc. for $140 million. Everything I listed is larger than 95nm so it seems they should be even cheaper than that. Maybe?

Edit:

One of those on my list, the Renesas plant that made Nintendo chips, closed down because they couldn't find a buyer. They were also planning to sell up to 10 of 18 plants. Might be an ideal time for an enterprising group with a totally different focus (subversion resistance) to take over one or more of these.

Nick P • December 8, 2013 11:12 PM

@ Clive Robinson

"all you realy get is strong typing on simple data types. "

Depending on the language, you might get simple data types, complex data types, dynamic types, stack protection, heap protection, typesafe function pointers, typesafe concurrency, typesafe casts, typesaft linking, typesafe URL construction recently, and so on. The cost along with benefits of type safety varies by language and implementation. For instance, GNAT Ada runs on 8-bit AVR microcontroller and Java is on smartcards. Trick is they use lighter runtime configs for that.

"You might also want to have a look at Forth, when it comes to resources it tends to have quite a few advantages (depending on threading type)."

I'll admit that, despite my gripe, I do keep coming back to it when considering these things. Forth can be implemented easily, it's very cross platform, it's got a code/data flexibility a la LISP, there's tools/code out there, and there's dedicated chips. It just takes a certain mindset to do it right and I didn't think people who can code safely in Java/C#/Python can necessarily code safely in Forth. If you recall, the talent requirement was my biggest gripe.

One of the possibilities I mentioned was using Forth as the target language of a compiler or higher level language. Guess what? Seems someone did that in the govt's OASIS program (whose projects will be in my upcoming paper release too). The problem was making safe/trustworthy boot firmware. Their example was Open Firmware which has a Forth interpreter built into it. So, they made a compiler from a Java subset to that Forth interpreter with safety proofs for the compiler. Safety benefits of Java + efficiency/portability of Forth. Bam!

"(depending on threading type)"

What did you mean by that?

Nick P • December 9, 2013 9:47 AM

@ Bryan, Petrobas

The government is designing secure processors and stacks under DARPA's Clean Slate. They have top groups on it too. Two of them already have prototypes and many details in their papers. OASIS, on other hand, was a program to come up with mechanisms to build intrusion tolerant networks and a few other things.

Since there's so much interest, I think I'll do the paper release next Friday in the squid forum. It was just going to have the secure hardware papers I'm referencing and some other min work max payoff tech. However, since Petrobas likes that OASIS paper, I'll throw in some of the other OASIS project deliverables as well.

Nick P • December 9, 2013 10:06 AM

@ Petrobas

"Clive Robinson: "Might be an ideal time for an enterprising group with a totally different focus (subversion resistance) to take over one or more of [these microprocessor plants]"

What would be the best to crowdfund the needed millions ? What country would you like this plant to be moved to ?"

That was actually my comment you were referring to. I'm not sure if you *can* move a semiconductor plant. In any case, the cost of one to buy would be extremely expensive and high to operate. It would probably be a continual loss for whoever acquired it. This means that, if acquiring for security, then it would likely be a group of investors who thought that was worth it. RobertT previously suggested a bunch of smaller countries worried about spying getting together on a fab. That's definitely a possibility. Another is them and private groups like multinationals (or drug lords) funding one that's capable of producing mobile chips as well.

I posted the list of process node tech because I wanted RobertT's opinion. Thing is, there's many types of chips of various sizes and functions. We can't have a fab for every one. So, how many fabs need to be built/bought at what process node tech to get most bang for buck and lowest operating cost? I think this question must be answered before we see progress.

re Forth

Yes, code injection is one of my main worries about a typeless language.It's the main reason C was avoided for most security kernels back in the day. Now, as I write this, I wonder if it might be possible to design a Forth system that loads code at boot, validates it, and then allows no new code in the system. Might be doable.

Nick P • December 9, 2013 7:22 PM

@ RobertT

"The basic problem is that functionality is actually getting cheaper with each new generation of fab, so a z80 embedded somewhere on a 40nm is chip is cheaper than a 3 um stand alone z80 core."

Interesting. Thanks for this and all the useful details.

"The minimum operating costs are probably around $5M/month even for a fab that is free, so you need to generate this revenue from what ever product you produce, just to keep the doors open.

Anyway bottom line is that there is no way to justify owning a fab just so you can be sure of the production flow."

I appreciate the estimate and opinion. I expected it to be over ten million a year but near $60mil would make most rich fat cats spit their drink across the bargaining table. It would definitely need to be subsidized if it were to happen at all.

"BTW ALL subversion of product at the Fab stage is probably done by motivated enterprising individuals without any cooperation from fab management. WHY would this be any different at a fab that you own?"

Because others and I have been dealing with *that* problem for a long time now. Thing is, unless I have a fab or am partnered with one I have no insight into the process *at all.* They can say whatever they want and I'm operating on blind faith. If I can manage personnel, operation, etc., then I take measures that have a shot at working against TLA's. That's a world of difference in assurance.

@ Wael

"I'll need some time..."

Well RobertT covered the price/performance issue pretty well. The remaining issues from all of our fab discussions are as follows:

1. Of existing fabs, which are trustworthy against who and why.

2. Of existing process node tech, which are cheapest to audit by buyer for potential subversion and what are best methods?

3. What processor types make most sense to do a knock off of to get most bang for investment buck.
3a. Servers.
3b. Desktops.
3c. Special purpose devices such as networking, storage, or thin clients.
3d. Embedded chips with fewer resources.

So, there's plenty of things to discuss far as hardware openness and subversion go. These issues need good answers before any investment is made.

@ Clive Robinson

"At the other end of the scale the dictionary can be dispenced with by the VM running a compiled program where words are replaced with inline assembler macros, this gives the fastest execution speed but a very large compiled program without functions in this respect it's similar to "loop unrolling"."

That's giving me ideas of how to do a Correct by Construction style of Forth. Not coherent enough to publish yet, though.

" Strictly speaking it would not be Forth but some other "Forth like" language of which quite a few exist."

I figured. Might still have the advantages, though.

@ Petrobras

"This is why I insisted on how to audit a chip with a microscope."

RobertT once linked to a company that specializes in reverse engineering chips. It was very interesting reading on how they dealt with the problem layer by layer. The difficulty and cost involved made me guess that it wouldn't seem like an easy way to verify chips as only the tiniest portion could be checked and you'd have to hope the subversion was visible.

So, my focus shifted to inspecting chips that weren't so tiny/complex or securing the production process. There's also good work going on in academic circles on designing circuits that can be combined with potentially malicious one's one a SoC to reduce risk. All that is in its infancy, though, while dealing with technical and personnel issues is a bit better understood. So, I picked a hard option to look into but it's because alternatives seem as hard or harder.

@ Adjuvant

I'm glad you shared this link because I think it might tell me something important. RobertT pointed out that the logic cells are important in the process as they're often a black box supplied to reduce design time. I wondered how hard it would be to make some open, trustworthy cells. The link gives us an idea:

"Creating and characterizing a logic library is not difficult, but it was time consuming. We ultimately created just over 60 digital cells22 and 14 analog cells and supercells.23 The CPUs were built from these cells."

The rest of the CPU on cheaper memory fab process is also brilliant. There could be something to use here for... something. Still not sure as those basic questions I outlined earlier must be answered. I'm keeping this bookmarked though.

@ Dirk Praet

Best job at the NSA. Too bad I can't stand WoW or NSA. I'd probably sign up otherwise.

Nick P • December 9, 2013 9:10 PM

@ Figureitout

http://colorforth.com/cf.htm

That page has links on the bottom that lead to all sorts of guides, articles, code, etc. You will learn plenty from them. Not to mention you might like cf.

Nick P • December 10, 2013 9:41 AM

@ RobertT

Your post seems to assume that my strategy stops with ownership of the fab. It certainly doesn't. The threat is a combination of technical, physical and personnel. Controls would be in place for each of them. I've put the most mental effort in my solution to the trusted personnel problem which is neither easy nor guaranteed, but would fail entirely if it's publicly known. That's why I haven't mentioned it in these comments.

The problem isn't as hard as you make it out to be though. You're so brilliant and knowledgeable about the technical aspects of it that this is what you're focusing on. The problem isn't outthinking every single thing the technicians might do. The problem is ensuring they wouldn't try. That's a human loyalty problem and has been successfully handled many times in history. Hundred times as many failures, for sure. Focusing on that problem, what tilts odds in defence's favor, and doing what little auditing of results is possible will be how success happens. Any other route will just put an illusion of security up that results in massive compromise.

re new tech vs old

". So a 2014 security processor made on a 1990 1um process (with just 35000 transistors) sounds great until you realize that the die area required to implement the function could potentially contain other active structures / connections so tiny that they were invisible with your inspection methodology."

Very well said. I'll try to remember this myself.

re 20nm

You keep mentioning it's so hard to create structures on this level and even harder to do devious things. Does this mean that you think the inherent nature of this process node makes it safer at the moment from compromise? In other words, the middle parts between specifying the hardware and fabbing it are where the only real risk is? If so, then going straight to 20nm with existing fabs in Asia seems to be the best solution to that part of the problem.

And maybe keeping the cost down by fabbing a FPGA or CPLD instead of a specific processor design for at least the embedded chip. Then the fab would constantly crank out the same thing, but the actual uses would be versatile. The most powerful chip, server or desktop use, would probably be a dedicated ASIC of which there are open starting points. 20nm gives us many possibilities the other fabs I looked at didn't.

@ Petrobas

Knowing one person you might trust won't help. Fabs are huge operations. The buying older chips solution might help and was what I recommended previously on this blog. The problem is that it will eventually result in a situation similar to the pre-1986 machine gun market where the numbers are constantly declining due to wear and the supply/demand difference drives prices up. Unlike machine guns, we can't replace individual wearing parts of VLSI circuits so the tens of thousands that exist on the market will disappear quite quickly.

A solution to the problem that allows use of newly produced chips is inevitably necessary and might be necessary sooner than we want.

Re old processors

I'd go back farther than that in general. NSA had less authority or will to take risks on subverting the chips themselves as you push back toward the 90's. My range is 2003-2004 or older. Still plenty of use to be gotten out of top chips made in that era. One piece of equipment I have is 2003 which seems safe b/c it was a minority player outside of NSA's target demographic. It still has a 1GHz processor, vector extensions, and plenty RAM. :)

Nick P • December 10, 2013 1:20 PM

Re Forth

I think everyone considering Forth might find this an excellent read. It goes deep into the nature of Forth, praises it, criticized it, and reflects on his personal experiences with it in combined software hardware systems. Relevant to this discussion.

http://www.yosefk.com/blog/my-history-with-forth-stack-machines.html

Another takeaway for me was that LISP makes even more sense due to (a) having similar benefits wrt flexibility and (b) having vastly more resources put into it that might benefit next project. Also has verified implementations, chips, security kernel, compilers to efficient C, etc. It bridges with mainstream platforms and security efforts more effectively is I think what im trying to say.

Nick P • December 10, 2013 1:25 PM

@ Adjuvant

Ill give a more thorough response to you and Bryans post later when I have time. However, I can quickly say theres been real efforts on lisp chips rather than just talk. Heres the top of a quick Google for instance.

http://www.aviduratas.de/lisp/lispmfpga/

Nick P • December 11, 2013 11:49 AM

@ RobertT

re parallel architectures & security

"We've talked about massively parallel processing architectures in the past and I still think this is the best solution. Imagine a chip with 1000 independent CPU's all working on a problem."

Reminds me of the Thinking Machines Corp.'s CM1 which had 65,000+ independent processing units (which were quite simple). The Massively Parellel Processing architecture was used in scientific fields like genetic programming. It saw much less use than machines with a small number of high performance, fully featured cores. I think despite multicore the market would choose against such a design today too. Plus, having done MPP programming, I can assure you it's a challenge for the software developer even *without* security requirements on top. ;)

However, don't let mainstream fool you: there are people working on stuff like that (parallel, not 65000 cores). The recent chip discussion had me digging through papers and commercial product specs. There were quite a few designed for multicore, "manycore," etc. There's also been programming languages such as Cilk, X10 or the brilliant Parasail that let programmers transition easily to such architectures. Finally, there's software diversity and obfuscation research similar to your obfuscations. I could easily seeing some of these combined at the compiler level where it took a parallel language program and split it up on cores in a complex, yet efficient, way.

While fun to think about, I think it's the wrong route for most systems. Our current problems stem from the design of chips making it easy to steal data, inject code or shoot oneself in the foot when coding. Small tweaks to existing architecture can greatly improve the resulting reliability, security, etc. Radically different designs greatly improve it. A few are in my upcoming Friday paper release that targets bottom-up secure or safer architectures. Older designs that attempted this include the capability architectures, Burroughs' tagged processor + type safe Algol system programming, Intel's i432 that the market killed, and original AS/400 object architecture.

So, it's been done before without massive processors or complexity. As I say of language design, doing the good stuff should be incredibly easy and doing the bad stuff incredibly hard. Such choices incentivize developers to act right [most of the time]. Current architectures provide, let's use Bruce's term, "perverse incentives." Change the architectures to change the incentives to change the behavior.

Nick P • December 11, 2013 4:57 PM

@ Bryan

"Code is data, data is code. No can do."

That's true for a PC too, though. Otherwise data couldn't become code through a buffer overflow, could it? ;)

Anyway, secure confinement was already done in LISP. So, it's definitely a possibility. Especially if the core is verified (as in VLISP) or runs on a processor made for LISP (esp w/ built in GC & memory management). Plus, LISP's turning data into code can always be restricted by the environment: there's no reason to use a fully flexible LISP implementation for highly secure use case. That's kind of crazy, actually.

"It is my plan to have the security processes all on their own cores and also having only the permissions they need to operate. A process drawing graphics primitives, can't read the keyboard IO data. The MMU won't allow it. "

Capability architectures. You've mentioned many problems that they solved before the 90's. Enforcing types or POLA at the lowest levels of the system is their main strength. Starting with that might make whatever you're doing easier (or help in another project). OS examples were KeyKOS (esp Factory pattern) and EROS. It was applied to UI's in HP's Polaris and Combex work IIRC. CHERI at Cambrige already has a prototype for their capability processor supporting isolation and legacy software use cases.

"On massively parallel. Right now I'm thinking of maybe 100 to 500 cores on a chip. Each core has a CPU, MMU, code cache, and local data cache."

Agarwal at MIT went in that direction with RAW Workstation project. Topped out at around 64 cores with 100 on the way. Tilera's chips have been in commercial use for a while now. Their interconnect scheme might be just what you need. (or their chips) There are also the so-called "network on a chip" designs that might help that you might find with Google, although might be paywalled.

I told RobertT a while back that I think part of our solution is in Massively Parallel Processing designs and I can tell his mind is brewing with stuff. Yours too. I like that we're all going in different directions because such diversity leads to best results.

One warning I'll give you about this stuff: execution units on separate chips with separate components are almost always more secure than those on the same chip with shared components. The reason is covert channels. The more is shared and integrated, the more there are. This is why when I brought it up to RobertT I focused on MPP or similar designs where there's a shared interconnect or memory of some sort, but there are also independent execution units, components and memories. Physical isolation needs to be built in to some degree.

My current MPP-based security scheme design

1. Address space, tagged memory or both at hardware level.

2. MPP architecture of many (dozens to thousands) nodes connected over high speed interconnect and distributed shared memory.

3. Each node has one or more execution units.

4. Interconnect interface is standardized to the point that each node can be whatever type of chip is necessary (RISC processor, FPGA, Java chip, etc.).

5. Each node's interconnect chip has builtin MMU that restricts what shared memory the chip can read or write. The MMU is controlled by the master controller of the system. The compute node can't override it or even know what its rules say. This is similar to MAC networking in Orange Book days & Clive's prison concept.

6. Nodes include general purpose COTS, general purpose secure (eg. tagged), single purpose COTS, and single purpose secure. The COTS chips will tend to be faster/cheaper.

7. Each node must include a trusted boot feature that can't be overwritten by software and gets the system into a known state where it can receive software/commands/data.

8. System uses recovery based architecture whereby a service node regularly restarts, tests, etc. compute nodes and tries to spot problems before they become a security risk.

There are quite a few ways to use a system with that architecture and primitives:

1. VM's running on different isolated nodes with mediated, high speed communication between them and availability.

2. A different chip per function in a single image software system. (I've even considered a dedicated chip for secure IO and driver handling.)

3. A combination of VM's and isolated applications constituting a larger system.

4. Intrusion detection is just a node with read access to certain parts of memory.

5. Integrity is easier to achieve if a separate node with built-in integrity protection handles file systems or database storage.

6. IO can be on dedicated nodes with mediated access to shared memory. The speed of the shared memory will make mediation bearable.

7. Smart compilers for a language with distributed computation in mind (eg E) can automatically split an app over many cores and nodes with POLA applied to each.

8. Low cost, low power chips can be used for functions that don't need so much. Having fewer heavyweight chips running will reduce operating costs and possibly risk.

9. As it has integrity protection of bootware, the system can be used to run untrusted COTS software for HPC applications without threat of permanent harm to system state. Any critical stuff could be unplugged (or MMU restricted) in such an event.

10. The TCB of the system can be adjusted for various tradeoffs. At a minimum, the shared memory enforcement and trusted boot must work correctly. From there, you secure just what you need.

Lot of possibilities. My architecture is in the alpha state, obviously, with plenty of room for problems or improvements. I'm using this paper to see what other systems did with interconnects and nodes. Most of my focus right now though is on is on simple modifications to ISA's to boost security and the Friday paper release. Then, I'll have time to work on my combination of MPP, tagged architecture and assured shared memory.

Btw, is there anything any of you like about MPP for POLA concept or use of managed NUMA memories? I've looked and can't see anyone in industry attempting this approach to INFOSEC. Seems original so far as I can tell.

Nick P • December 11, 2013 7:35 PM

@ Dirk

Custom hardware certainly might be prohibitive as you pointed out. It's why my efforts are trying to minimize changes or expensive developments. It's also why I'm pushing *very* strongly for people to use what's already been done rather than explore new solutions to the same [solved] problem. It will reduce work to a minimum.

However, Wirth's Oberon project and Moore's Forth show that a ground up redesign with simplicity, maintainability, performance, AND LOW COST are possible. I mean, the Wirth projects (esp Lilith) designed a type safe systems language, a processor supporting it, a workstation using it, a compiler, an OS, useful tools, UI, and so on usually with a small number of people over several years. We have better tools today, esp the FPGA's and IDE's. The main difference is that it will take more people and require knowledgeable security engineers on each project.

" the only people able to build it would be individuals with a decent background in hardware and electronics, or loosely-knit groups with a particular interest in such systems like, say, the CCC in Hannover, Germany. Not to mention IC communities."

Mostly true. But, as I pointed out above, don't forget the academics. The college kids and industry researchers are coming up with more solid work in security tech than about any other group. Almost every awesome piece of work I've listed comes from these types of people. Hopefully the Snowden leaks will only make them more motivated.

Nick P • December 12, 2013 11:34 AM

@ Dirk Praet

"I really should take some time to dig into this kind of stuff to learn more about it,"

You can get a quick overview of what they accomplished here if you just read the intro, Lilith, and Modula sections.

This lengthier tribute to Wirth tells a lot about his style, accomplishments, and the effects it had. I think his design approach combined with modern tools/tech & security engineering will be the best method to solve our current problems. He's already demonstrated it works on hardware, low-level software and high level software.

@ Petrobas

"Except if you disconnect the keyboard from the ISA/PCI bus and instead connect it to the only processor core which is in charge of keyboard. "

I'm guessing you didn't read the link. Many of the capability architectures had dedicated processors or even separate machines to do IO. The main chip would interface to it in a certain way. There's enough advantages to that approach that certain secure systems of mine offloaded filesystems/networking to other machines, too.

Even in the integrated designs, the capabilities were enforced in hardware on the chip. Also, the A1-class SCOMP system used a dedicated IO processor that could impose access restrictions (a la IOMMU in 1985).

Connecting it directly to the processor has some benefit, too, though. It's not a bad idea for the keyboard long as you eliminate the timing channel it creates.

Nick P • December 12, 2013 11:00 PM

@ Dirk Praet

I forgot to mention good luck on the Japanese. Someone I know spent some time learning it and thought it was a rewarding experience. He said it forces a person to think differently. And it was fun when he got the hang of it.

Plus you'll be able to make better use of those Japanese chips and computers that NSA hopefully has no backdoor in. ;)

Nick P • December 12, 2013 11:24 PM

@ Bryan

My Parasail reference was for someone else. This was the one I showed you as it involved many cores and customization on chip.

Far as your described system goes, it reminds me of the Functional Reactive Programming (eg Elms) and Dataflow paradigms. I bet those languages might work well on such an architecture. Other aspects I'd have to think on as the design's security implications are complex.

Re BitC

It's a work in progress that hasn't neared production. You might want to look at the other languages you mentioned more as they have finished compilers and tools.

Nick P • December 12, 2013 11:26 PM

British spy found dead and naked in a bag. Police say probably accident.

http://www.huffingtonpost.com/2013/11/13/gareth-williams-accident-died-in-bag_n_4266397.html

Pretty weird. I don't have an opinion on it.