NSF Awards $10 Million To Protect America's Processors

← Back to Stories (view on slashdot.org)

NSF Awards $10 Million To Protect America's Processors

Posted by samzenpus on Thursday September 25, 2014 @09:34PM from the won't-somebody-please-think-of-the-processors? dept.

aarondubrow writes "The National Science Foundation and the Semiconductor Research Corporation announced nine research awards to 10 universities totaling nearly $4 million under a joint program focused on secure, trustworthy, assured and resilient semiconductors and systems. The awards support the development of new strategies, methods and tools at the circuit, architecture and system levels, to decrease the likelihood of unintended behavior or access; increase resistance and resilience to tampering; and improve the ability to provide authentication throughout the supply chain and in the field. "The processes and tools used to design and manufacture semiconductors ensure that the resulting product does what it is supposed to do. However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious," said Keith Marzullo, division director of NSF's Computer and Network Systems Division.

48 comments

Min score:

Reason:

Sort:

Microsoft drops Trustworthy Computing Group by jkrise · 2014-09-25 21:45 · Score: 2

http://redmondmag.com/articles...
Make of these what you will.

--
If you keep throwing chairs, one day you'll break windows....
1. Re:Microsoft drops Trustworthy Computing Group by peragrin · 2014-09-25 22:22 · Score: 2
  
  It gets better when eh NSA offers 400 million to open up the backdoors, and hand out the access keys.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:Microsoft drops Trustworthy Computing Group by Z00L00K · 2014-09-25 22:45 · Score: 2
  
  With resistance to tampering it also means that it's harder to find intentional backdoors placed by your favorite agency.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Microsoft drops Trustworthy Computing Group by Anonymous Coward · 2014-09-25 23:24 · Score: 0
  
  Its just a restructure, its not really going away. Anyway, "trustworthy computing" has nothing to do with trusting the silicon. It is about the user, ensuring that the copyright industry can trusts Microsoft. And Microsoft in turn ensures that users are unable to break DRM restrictions by code signing guaranteed at the hardware level.
4. Re:Microsoft drops Trustworthy Computing Group by sillybilly · 2014-09-26 09:27 · Score: 1
  
  It has everything to do with trusting the silicon. It is possible to embed covert hardware code into a chip, that activates at zero day, or from a satellite signal, or from a plane that flies by. For instance, in the US more and more of the CNC's and injection molding machines and the like, even for military supply chains, are increasingly manufactured in foreign countries like Germany or Japan, and it's not like we're ever gonna go to war with these countries, right? That'd be nice. But in case the shit hits the fan, how are you gonna trust your plastic spoon making equipment the military uses to feed on a daily basis? Or even the bullet making CNC's? First of all you cannot get the spare parts, 2nd you absolutely cannot trust what a chip does, unless you make that chip yourself, and even then you're vulnerable to a swap out. It's not possible to shave off the surface of a chip, then inspect the tracks and transistors with an electron microscope or even x-ray machine, and decipher what the fuck it is doing, because it's so mindbogglingly complex. I, as a human, had trouble figuring out a couple transistor garage opener, or even putting the schematics on paper, even a 50 element garage opener is too complex for an human, unless they are expert electronics designers. A computer could help of course coming up with the schematics, but when you're talking a billion transistors, so what if the computer can create the schematics. It cannot comprehend what a chip does, or could covertly do. All you know an injection molding machine could sense when it's getting worked on, and people standing between open molds hammering out plastic frozen pieces, to keep production going, it could close on them with thousands of lbs of force. You'd lose your best maintenance people in a war situation, and no, there is no time to do proper OSHA lockout tagout, because you can hammer the plastic piece out in 2 or 3 minutes, and keep things going, but dare you lose temperature control, it's an automatic 30 minute timeout. A lot of japanese injection molding machines are like that, you touch the temperature control button by accident for half a second, turn off the barrel heat, and it's an automatic 20 minute timeout. That's bullshit. It begs for no lockout-tagout, when expensive equipment like that has to produce the couple cent parts continuously, else it cannot pay for the financing. Time like 20 minutes down is a matter of staying in business, or shutting the doors as yet another company out of business in the US. All these headaches because of automation and chips, hardware, that you yourself did not make. It's imperative for every country on the planet to have their own chip hardware business, at least for their own military purposes, and by military, I mean simple things like plastic spoon manufacturing, that are light and easy to carry in a soldier's backpack.
Let's Outsource It!! by Required+Snark · 2014-09-25 21:55 · Score: 1

Given standard US business practice this will be outsourced to Taiwan (Taiwan Semiconductor) and the work will be performed in China.
Conversely it can be done in the US by 1H-B visa holders from India.
Or it could be done by IBM in Zurich or India. If IBM gets a piece of the action, it could be done anywhere. Remember, they no longer report employment by country, so no matter where they say the work was done, big chunks of it cold be done anywhere on the planet.
Remember that Zuckerberg and Microsoft are threatening to move to Canada because the US only produces second rate computer talent, so clearly there is no one in the US capable of doing the job right. (Look up the recent Slashdot post about this, I'm too lazy.)
I know that the money is actually going to universities, not corporations. I'm just pulling your leg. Even so, given the ties between academic institutions and big corporations, who knows where the data from this will end up, or who will have input into the process. Inquiring minds want to know...

--
Why is Snark Required?
1. Re:Let's Outsource It!! by Electricity+Likes+Me · 2014-09-25 22:02 · Score: 4, Interesting
  
  That's uh, kind of the point of this research. Verifying black box chip functionality is a huge concern for the military, who has a standing policy to use consumer hardware off-the-shelf where possible. With chips made in China and all. Beyond that, there's a big problem in just regular supply runs with counterfeit chips.
2. Re:Let's Outsource It!! by Required+Snark · 2014-09-26 05:42 · Score: 2
  
  IBM also has a research group in Beijing.
  To make my sarcasm more understandable to you, I'm trying to point out that in the US, even national security is sacrificed to the profit motive. This is one of the reasons that US defense (and other critical infrastructure firms) keep being hacked by Chinese and Russian based groups. They don't spend enough money on security because "profit".
  The US Chamber of Commerce, one of the biggest and most influential lobbying groups, has successfully shut down any legislation addressing requirements for cyber-security. President Obama did try and address the issue via executive order, but that is not as effective as actual legislation.
  So here is a real example that I ran across when I was posting on a different Slashdot thread. http://en.wikipedia.org/wiki/Lockheed_Martin_F-35_Lightning_II#Program_cost_increases_and_delays
  
  On 21 April 2009, media reports, citing Pentagon sources, said that during 2007 and 2008, spies downloaded several terabytes of data related to the F-35's design and electronics systems, potentially compromising the aircraft and aiding the development of defense systems against it. Lockheed Martin rejected suggestions that the project was compromised, stating it "does not believe any classified information had been stolen". Other sources suggested that the incident caused both hardware and software redesigns to be more resistant to cyber attack.
  
  Now do you understand what I am talking about?
  
  --
  Why is Snark Required?
The path to higher profits... by Lumpy · 2014-09-25 22:03 · Score: 1

Is in outsourcing.... nothing bad can happen if you have everything made in China....

--
Do not look at laser with remaining good eye.
1. Re:The path to higher profits... by Anonymous Coward · 2014-09-26 01:35 · Score: 0
  
  Thanks for regurgitatin NSA Scheisse. The worst subverters of hardware are NSA-GCHQ. Of course they claim everybody does it. For example, they repeatedly throwed brown stuff at Huawei. Until now, nothing has been substantiated, except that we have proof NSA-GCHQ intercepts CISCO hardware to insert their malware.
  Then "Crypto AG" and Belgacom.
  Pott, kettle etc.
2. Re:The path to higher profits... by Anonymous Coward · 2014-09-28 23:55 · Score: 0
  
  Ahh the uneducated chiming in.
  Come on back when you actually have a clue as to what you are talking about.
Is this sponsored by the NSA? by Anonymous Coward · 2014-09-25 22:32 · Score: 0

We probably have to assume all chips have Chinese or NSA backdoors. Choose your poison.
Cory Doctorow had a nice talk on the subject by Errol+backfiring · 2014-09-25 22:39 · Score: 1

See his blog post on the War on General Computing. (warning: video lasts more than five minutes, but it is worth seeing.)
Just another "build me a device that can do anything, except for (<insert feature here>)" action.

--
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
1. Re:Cory Doctorow had a nice talk on the subject by bluefoxlucid · 2014-09-26 01:02 · Score: 1
  
  It's more than that. These people want a device they can inspect for tampering; they have obviously not met Angus Thermopyle.
  
  --
  Support my political activism on Patreon.
Guns don't kill people, bullets do. by Bob_Who · 2014-09-25 23:13 · Score: 1

TFA:

"However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious,"
Like "off label" usage of prescriptions, using a frozen leg of lamb as a murder weapon, or spending money to fund all things evil and destructive? My point is that a product can and will do anything else, such as behaving in ways that people decide and control, be it malicious or mundane. Nobel invented dynamite, should he get his own prize for breakthroughs in bank vaults? This really sounds like a load of toad.
1. Re:Guns don't kill people, bullets do. by Anonymous Coward · 2014-09-26 02:39 · Score: 0
  
  I think the concern is the chip fab companies modifying the submitted chip design before manufacturing them. For example, adding an extra instruction to a CPU to circumvent security features. You would never know it's there unless you went looking for it.
NSA in NSF's Clothing by Anonymous Coward · 2014-09-25 23:19 · Score: 0

Face it, friends. We're pwnz0rs.
$4m for 10 universities is *nothing* by Anonymous Coward · 2014-09-25 23:41 · Score: 0

A short calculation:
$4m in funding
- 50% of overhead (overhead varies between 40% and 67%)
= $2m of effective funding
This is available for at least 10 professors (though it's for sure more than 1 professor per institution), thus, it's $200,000 per university team. From this you have to remove summer salaries for each year for the professor(s), so it' maybe $140k-$160k. Running for 3 years, this means funding for 10 students at most across all projects.
Read a little further down in the article and you'll see that NSF allocated $73 for cybersecurity alone. Now that's a number that already gets more things moving. But $4m in the current system with overheads, summer salaries, and project meetings is nothing.
1. Re:$4m for 10 universities is *nothing* by bluefoxlucid · 2014-09-26 01:04 · Score: 1
  
  Salaries are overhead.
  
  --
  Support my political activism on Patreon.
2. Re:$4m for 10 universities is *nothing* by NatasRevol · 2014-09-26 02:50 · Score: 1
  
  Not according to universities.
  
  --
  There are two types of people in the world: Those who crave closure
Wow, a whole $10 million? by Maury+Markowitz · 2014-09-25 23:53 · Score: 4, Insightful

I remember watching some show on a river in Africa that never makes it to the coast. Every spring it starts as a rushing torrent, but as the thaw ends and the water spreads out it evaporates and sinks into the land, leaving a huge inland river delta.
On can construct a similar imaginary money river for this story. $10 million? It will never see hardware, that money will disappear into the bureaucracy like water into the African plains.
To put this in perspective, $10 million is what, one hour of iPhone sales? That's how important the NSF considers this?
1. Re:Wow, a whole $10 million? by Mr+D+from+63 · 2014-09-26 00:14 · Score: 1
  
  The government has always suffered from the inability to stop doing anything. They'll minimally fund an organization that serves no real value just to avoid the pain of dismantling it. Its a lot easier to spend a few million and keep a group of workers trudging along than to actually redirect them or, if need be, lay them off. I wouldn't be surprised if that is a big part of the case here.
2. Re:Wow, a whole $10 million? by bill_mcgonigle · 2014-09-26 00:25 · Score: 2
  
  I suspect Intel spent $10M on chip R&D while my coffee was brewing.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:Wow, a whole $10 million? by CastrTroy · 2014-09-26 00:37 · Score: 3, Insightful
  
  $10 million doesn't get you very far anymore. My city has spent over $10 million trying to construct a pedestrian bridge. The initial estimate was over 6.5 million. For a bridge. That people walk on. I think it allows for bikes too. Crazy. And it still hasn't been completed. Who knows how much it will cost by the end of it.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
4. Re:Wow, a whole $10 million? by Anonymous Coward · 2014-09-26 01:19 · Score: 1
  
  It'll cost as much as it takes for the politicians who sponsored it to become wealthy enough to retire.
5. Re:Wow, a whole $10 million? by lourd_baltimore · 2014-09-26 02:25 · Score: 1
  
  The show was probably about the Okavango River which empties into the Okavango Delta in Botswana.
  You're right, none of the water makes it to any sea or ocean. Some of it simply evaporates. However, the majority of the water allows for a thriving ecosystem to exist in an otherwise arid region.
  Include this into your analogy as you see fit.
6. Re:Wow, a whole $10 million? by tlhIngan · 2014-09-26 03:33 · Score: 1
  
  I suspect Intel spent $10M on chip R&D while my coffee was brewing.
  And that's only part of it.
  A set of basic masks for an IC costs around $1M. Very basic 2-metal process that is.
  Each mask is around $100K to produce, which is why in semiconductor design, there are piles of unconnected transistors and gates that are fabbed into every IC so small revisions can be done by changing the metal layers of the mask only - minimizing the number of mask changes minimizes a huge expense.
  A modern IC generally is at least a 10-metal process which eats up that $10M alarmingly quickly.
7. Re:Wow, a whole $10 million? by Anonymous Coward · 2014-09-26 05:34 · Score: 1
  
  Except none of this research is making production processors. Do you have any concept of how university research works? Do you think MIT is spitting out production quality processors? No, because it's idiotic to spend a hundred million dollars to develop something that will never be used or make money. They instead design algorithms, test in simulation, and publish. Then, in five years, Intel puts it in the 5nm Running Bear Lake or whatever they are going to call it.
8. Re:Wow, a whole $10 million? by Anonymous Coward · 2014-09-26 05:35 · Score: 0
  
  Yes, all the government wrangling in order to get a quarter million dollars to universities with hundreds of millions of dollars in research funds. You idiots are so sadly cynical.
Where's the rest of the money coming from? by pupsocket · 2014-09-26 00:33 · Score: 2

Does four million get even one item on this list?

(from the article)
Combating integrated circuit counterfeiting using secure chip odometers--Carnegie Mellon University
Intellectual Property (IP) Trust-A comprehensive framework for IP integrity validation--Case Western Reserve University and University of Florida
Design of low-cost, memory-based security primitives and techniques for high-volume products--University of Connecticut
Trojan detection and diagnosis in mixed-signal systems using on-the-fly learned, pre-computed and side channel tests--Georgia Institute of Technology
Metric and CAD for differential power analysis (DPA) resistance--Iowa State University
Design of secure and anti-counterfeit integrated circuits--University of Minnesota
Hardware authentication through high-capacity, physical unclonable functions (PUF)-based secret key generation and lattice coding--University of Texas at Austin
Fault-attack awareness using microprocessor enhancements--Virginia Tec
Invariant carrying machine for hardware assurance--Northwestern University
So of course this whole project will need to attract international support from all those other governments grateful that the US role protects the integrity of critical hardware worldwide.
After all, those same governments will probably send their very brightest and most dedicated graduate students and post-docs to the institutions conducting the research.
Maybe they're already supporting it and working on it.
1. Re:Where's the rest of the money coming from? by sillybilly · 2014-09-26 09:37 · Score: 1
  
  Which is why a few transistor 80286 for DOS is such a great idea for the military. It can do a lot on the peripheral systems, and the simpler the design, the less its capabilities, the less the security risks. Centrally or in secure locations you can run complex mainframes, that you can inspect and manage the heck out of, but low cost, discardability and security out in the field beg for simplicity in design.
2. Re:Where's the rest of the money coming from? by pupsocket · 2014-09-26 14:07 · Score: 1
  
  and the simpler the design, the less its capabilities, the less the security risks
  Yup.
  Is it mad optimism to suspect that some tiny fraction of the motivation here might not be military but a concern for the integrity of electronic elections?
We're sorry, but ... by CaptainDork · 2014-09-26 00:51 · Score: 1

... what with the state of education in the US, not only do we not have people with computer talent, we no longer have computer people capable of hacking.
The good news is that all Americans have been removed from the no-fly list.
The bad news is that we're screwed.

--
It little behooves the best of us to comment on the rest of us.
$10m or $4m? by cdrudge · 2014-09-26 00:58 · Score: 1

NSF Awards $10 Million To Protect America's Processors
...
The National Science Foundation and the Semiconductor Research Corporation announced nine research awards to 10 universities totaling nearly $4 million...
One of the first things they are going to research is how to properly add numbers.
Wow! $4 Million Dollars! by frank_adrian314159 · 2014-09-26 01:23 · Score: 1

Dr. Evil would be proud.
Do you guys realize how minor this money is? Do you know how much research costs? Basically, this is an amount that would run one decent sized lab at a research university for maybe a year. If these are the grants we're crowing about... well, I guess it's a start.
$10M a year for five years might be reasonable to get some traction on the problem. All this will do is fund a few papers which will probably disappear. That grad students and post docs will survive another year, I guess, so that might be good.

--
That is all.
Hahahahahaha by Anonymous Coward · 2014-09-26 01:24 · Score: 0

NSx working against NSx
Trustworthy ... by PPH · 2014-09-26 02:34 · Score: 1

... is a process, not just a technology.
How do I know that some microcode hasn't been added to the CPU/GPU I've got plugged into my motherboard? Is there some sort of independant auditing process in place? Not that this would do any good. Customers of components like FPGAs have demanded methods to secure their device code from illicit inspection and copying. And any audit process would be indistinguishable from such inspection. So that isn' going to happen.
If you buy a router, how can you be sure that a back door hasn't been installed, either by the manufacturer or at some point in the unit's transit? And I suspect tht any attempt to secure such a device from tampering by those evil Chinese would trip over NSA requirements to provide exactly the same kind of access.

--
Have gnu, will travel.
1. Re:Trustworthy ... by skoony · 2014-09-26 07:51 · Score: 0
  
  this was discussed 15-20 tears ago. the general belief was if it was't already being done it would be.
this will do no good, unless... by WindBourne · 2014-09-26 02:44 · Score: 1

America also pushes the gov. to buy this and help restart the industry.

--
I prefer the "u" in honour as it seems to be missing these days.
Great will they be built here? by jbrandv · 2014-09-26 02:51 · Score: 1

Do the research here then send the details so they can be subverted... Oops I meant manufactured in China. That'll do a lot of good.
How is this a Federal problem? by Anonymous Coward · 2014-09-26 05:27 · Score: 0

You really must have zero concept of how universities do research.
Wow, a whole $10 million? by Anonymous Coward · 2014-09-26 05:29 · Score: 0

Do you know anything about research funding? These grants are to support graduate research work for a certain amount of time. Most of these things don't *HAVE* hardware as their outcome. Most likely, they are doing theoretical research into algorithms for detecting bugs and protecting hardware that can then be integrated into future hardware. Do you think that universities just spit out 14nm Xeons made by graduate students?
Jesus, this Slashdot discussion is just idiotic. What the hell happened to this place?
sounds good on paper by skoony · 2014-09-26 07:46 · Score: 0

there will never be a processor available to the general public that doesn't have a backdoor. now if your a government or corporation with a big and i mean really big wallet... .