NSF Awards $10 Million To Protect America's Processors

aarondubrow writes "The National Science Foundation and the Semiconductor Research Corporation announced nine research awards to 10 universities totaling nearly $4 million under a joint program focused on secure, trustworthy, assured and resilient semiconductors and systems. The awards support the development of new strategies, methods and tools at the circuit, architecture and system levels, to decrease the likelihood of unintended behavior or access; increase resistance and resilience to tampering; and improve the ability to provide authentication throughout the supply chain and in the field. "The processes and tools used to design and manufacture semiconductors ensure that the resulting product does what it is supposed to do. However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious," said Keith Marzullo, division director of NSF's Computer and Network Systems Division.

Microsoft drops Trustworthy Computing Group

[jkrise]

http://redmondmag.com/articles...

Make of these what you will.

Re:Microsoft drops Trustworthy Computing Group

[peragrin]

It gets better when eh NSA offers 400 million to open up the backdoors, and hand out the access keys.

Re:Microsoft drops Trustworthy Computing Group

[Z00L00K]

With resistance to tampering it also means that it's harder to find intentional backdoors placed by your favorite agency.

Re:Microsoft drops Trustworthy Computing Group

Its just a restructure, its not really going away. Anyway, "trustworthy computing" has nothing to do with trusting the silicon. It is about the user, ensuring that the copyright industry can trusts Microsoft. And Microsoft in turn ensures that users are unable to break DRM restrictions by code signing guaranteed at the hardware level.

Re:Microsoft drops Trustworthy Computing Group

[sillybilly]

It has everything to do with trusting the silicon. It is possible to embed covert hardware code into a chip, that activates at zero day, or from a satellite signal, or from a plane that flies by. For instance, in the US more and more of the CNC's and injection molding machines and the like, even for military supply chains, are increasingly manufactured in foreign countries like Germany or Japan, and it's not like we're ever gonna go to war with these countries, right? That'd be nice. But in case the shit hits the fan, how are you gonna trust your plastic spoon making equipment the military uses to feed on a daily basis? Or even the bullet making CNC's? First of all you cannot get the spare parts, 2nd you absolutely cannot trust what a chip does, unless you make that chip yourself, and even then you're vulnerable to a swap out. It's not possible to shave off the surface of a chip, then inspect the tracks and transistors with an electron microscope or even x-ray machine, and decipher what the fuck it is doing, because it's so mindbogglingly complex. I, as a human, had trouble figuring out a couple transistor garage opener, or even putting the schematics on paper, even a 50 element garage opener is too complex for an human, unless they are expert electronics designers. A computer could help of course coming up with the schematics, but when you're talking a billion transistors, so what if the computer can create the schematics. It cannot comprehend what a chip does, or could covertly do. All you know an injection molding machine could sense when it's getting worked on, and people standing between open molds hammering out plastic frozen pieces, to keep production going, it could close on them with thousands of lbs of force. You'd lose your best maintenance people in a war situation, and no, there is no time to do proper OSHA lockout tagout, because you can hammer the plastic piece out in 2 or 3 minutes, and keep things going, but dare you lose temperature control, it's an automatic 30 minute timeout. A lot of japanese injection molding machines are like that, you touch the temperature control button by accident for half a second, turn off the barrel heat, and it's an automatic 20 minute timeout. That's bullshit. It begs for no lockout-tagout, when expensive equipment like that has to produce the couple cent parts continuously, else it cannot pay for the financing. Time like 20 minutes down is a matter of staying in business, or shutting the doors as yet another company out of business in the US. All these headaches because of automation and chips, hardware, that you yourself did not make. It's imperative for every country on the planet to have their own chip hardware business, at least for their own military purposes, and by military, I mean simple things like plastic spoon manufacturing, that are light and easy to carry in a soldier's backpack.

Let's Outsource It!!

[Required+Snark]

Given standard US business practice this will be outsourced to Taiwan (Taiwan Semiconductor) and the work will be performed in China.

Conversely it can be done in the US by 1H-B visa holders from India.

Or it could be done by IBM in Zurich or India. If IBM gets a piece of the action, it could be done anywhere. Remember, they no longer report employment by country, so no matter where they say the work was done, big chunks of it cold be done anywhere on the planet.

Remember that Zuckerberg and Microsoft are threatening to move to Canada because the US only produces second rate computer talent, so clearly there is no one in the US capable of doing the job right. (Look up the recent Slashdot post about this, I'm too lazy.)

I know that the money is actually going to universities, not corporations. I'm just pulling your leg. Even so, given the ties between academic institutions and big corporations, who knows where the data from this will end up, or who will have input into the process. Inquiring minds want to know...

Re:Let's Outsource It!!

[Electricity+Likes+Me]

That's uh, kind of the point of this research. Verifying black box chip functionality is a huge concern for the military, who has a standing policy to use consumer hardware off-the-shelf where possible. With chips made in China and all. Beyond that, there's a big problem in just regular supply runs with counterfeit chips.

Re:Let's Outsource It!!

[Required+Snark]

IBM also has a research group in Beijing.

To make my sarcasm more understandable to you, I'm trying to point out that in the US, even national security is sacrificed to the profit motive. This is one of the reasons that US defense (and other critical infrastructure firms) keep being hacked by Chinese and Russian based groups. They don't spend enough money on security because "profit".

The US Chamber of Commerce, one of the biggest and most influential lobbying groups, has successfully shut down any legislation addressing requirements for cyber-security. President Obama did try and address the issue via executive order, but that is not as effective as actual legislation.

So here is a real example that I ran across when I was posting on a different Slashdot thread. http://en.wikipedia.org/wiki/Lockheed_Martin_F-35_Lightning_II#Program_cost_increases_and_delays

On 21 April 2009, media reports, citing Pentagon sources, said that during 2007 and 2008, spies downloaded several terabytes of data related to the F-35's design and electronics systems, potentially compromising the aircraft and aiding the development of defense systems against it. Lockheed Martin rejected suggestions that the project was compromised, stating it "does not believe any classified information had been stolen". Other sources suggested that the incident caused both hardware and software redesigns to be more resistant to cyber attack.

Now do you understand what I am talking about?

The path to higher profits...

[Lumpy]

Is in outsourcing.... nothing bad can happen if you have everything made in China....

Re:The path to higher profits...

Thanks for regurgitatin NSA Scheisse. The worst subverters of hardware are NSA-GCHQ. Of course they claim everybody does it. For example, they repeatedly throwed brown stuff at Huawei. Until now, nothing has been substantiated, except that we have proof NSA-GCHQ intercepts CISCO hardware to insert their malware.

Then "Crypto AG" and Belgacom.

Pott, kettle etc.

Re:The path to higher profits...

Ahh the uneducated chiming in.

Come on back when you actually have a clue as to what you are talking about.

Is this sponsored by the NSA?

We probably have to assume all chips have Chinese or NSA backdoors. Choose your poison.

Cory Doctorow had a nice talk on the subject

[Errol+backfiring]

See his blog post on the War on General Computing. (warning: video lasts more than five minutes, but it is worth seeing.)

Just another "build me a device that can do anything, except for (<insert feature here>)" action.

Re:Cory Doctorow had a nice talk on the subject

[bluefoxlucid]

It's more than that. These people want a device they can inspect for tampering; they have obviously not met Angus Thermopyle.

easy facebook profits review

[muathukn]

easy facebook profits review https://www.youtube.com/watch?...

TAILS Linux 1.1.2 is out (September 25th, 2014)

$ Torproject Blog Announcement:
https://blog.torproject.org/bl...

$ TAILS News Announcement:
https://tails.boum.org/news/ve...

$ TAILS Download Site:
https://tails.boum.org/downloa...

#

"TAILS, The Amnesic Incognito Live System, version 1.1.2, is out.

This release fixes numerous security issues[1] and all users must upgrade[2] as soon as possible.

We prepared this release mainly to fix a serious flaw[3] in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates.

Before this release, users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe itâ(TM)s coming from a trusted site.

( Changes )

-- Notable user-visible changes include:

- Security fixes
- Upgrade the web browser to 24.8.0esr-0+tails3~bpo70+1
- Install Linux 3.16-1
- Numerous other software upgrades that fix security issues: GnuPG, APT, DBus, Bash, and packages built from the bind9 and libav source packages

See the online Changelog[4] for technical details."

[1] https://tails.boum.org/securit...
[2] https://tails.boum.org/doc/fir...
[3] https://blog.mozilla.org/secur...
[4] https://git-tails.immerda.ch/t...

#

-((( Direct download )))-

( Latest release: Tails 1.1.2 ISO image )
http://dl.amnesia.boum.org/tai...

( Cryptographic Signature - Tails 1.1.2 signature )
https://tails.boum.org/torrent...

( SHA256 checksum for ISO )

f8a15f7c63662815a7087d36e1f614c9382675dd2424c2cd336aca6b72203ea2

#

-((( BitTorrent download )))-

( Latest release: Tails 1.1.2 torrent )
https://tails.boum.org/torrent...

"The cryptographic signature of the ISO image is also included in the Torrent. Additionally, you can verify the signature of the Torrent file itself before downloading it."

( Cryptographic Signature: )

https://tails.boum.org/torrent...

Re:TAILS Linux 1.1.2 is out (September 25th, 2014)

It's adorable that you think anyone cares, or that you're reaching them by posting this.

Guns don't kill people, bullets do.

[Bob_Who]

TFA:

"However, a key question that must also be addressed is whether the product does anything else, such as behaving in ways that are unintended or malicious,"

Like "off label" usage of prescriptions, using a frozen leg of lamb as a murder weapon, or spending money to fund all things evil and destructive? My point is that a product can and will do anything else, such as behaving in ways that people decide and control, be it malicious or mundane. Nobel invented dynamite, should he get his own prize for breakthroughs in bank vaults? This really sounds like a load of toad.

Re:Guns don't kill people, bullets do.

I think the concern is the chip fab companies modifying the submitted chip design before manufacturing them. For example, adding an extra instruction to a CPU to circumvent security features. You would never know it's there unless you went looking for it.

NSA in NSF's Clothing

Face it, friends. We're pwnz0rs.

$4m for 10 universities is *nothing*

A short calculation:

$4m in funding
- 50% of overhead (overhead varies between 40% and 67%)
= $2m of effective funding

This is available for at least 10 professors (though it's for sure more than 1 professor per institution), thus, it's $200,000 per university team. From this you have to remove summer salaries for each year for the professor(s), so it' maybe $140k-$160k. Running for 3 years, this means funding for 10 students at most across all projects.

Read a little further down in the article and you'll see that NSF allocated $73 for cybersecurity alone. Now that's a number that already gets more things moving. But $4m in the current system with overheads, summer salaries, and project meetings is nothing.

Re:$4m for 10 universities is *nothing*

[bluefoxlucid]

Salaries are overhead.

Re:$4m for 10 universities is *nothing*

[NatasRevol]

Not according to universities.

How is this a Federal problem?

[Gothmolly]

Why do we need the State Science Institute telling us that we need better control over the processor supply chain? Companies for whom this is important will implement it, and the rest won't. It's a self-correcting problem. And 10 million? If you're going to go out and nationalize the production of processors that's chump change, do it right, at least.

Wow, a whole $10 million?

[Maury+Markowitz]

I remember watching some show on a river in Africa that never makes it to the coast. Every spring it starts as a rushing torrent, but as the thaw ends and the water spreads out it evaporates and sinks into the land, leaving a huge inland river delta.

On can construct a similar imaginary money river for this story. $10 million? It will never see hardware, that money will disappear into the bureaucracy like water into the African plains.

To put this in perspective, $10 million is what, one hour of iPhone sales? That's how important the NSF considers this?

Re:Wow, a whole $10 million?

[Mr+D+from+63]

The government has always suffered from the inability to stop doing anything. They'll minimally fund an organization that serves no real value just to avoid the pain of dismantling it. Its a lot easier to spend a few million and keep a group of workers trudging along than to actually redirect them or, if need be, lay them off. I wouldn't be surprised if that is a big part of the case here.

Re:Wow, a whole $10 million?

[bill_mcgonigle]

I suspect Intel spent $10M on chip R&D while my coffee was brewing.

Re:Wow, a whole $10 million?

[CastrTroy]

$10 million doesn't get you very far anymore. My city has spent over $10 million trying to construct a pedestrian bridge. The initial estimate was over 6.5 million. For a bridge. That people walk on. I think it allows for bikes too. Crazy. And it still hasn't been completed. Who knows how much it will cost by the end of it.

Re:Wow, a whole $10 million?

It'll cost as much as it takes for the politicians who sponsored it to become wealthy enough to retire.

Re:Wow, a whole $10 million?

[lourd_baltimore]

The show was probably about the Okavango River which empties into the Okavango Delta in Botswana.

You're right, none of the water makes it to any sea or ocean. Some of it simply evaporates. However, the majority of the water allows for a thriving ecosystem to exist in an otherwise arid region.

Include this into your analogy as you see fit.

Re:Wow, a whole $10 million?

[tlhIngan]

I suspect Intel spent $10M on chip R&D while my coffee was brewing.

And that's only part of it.

A set of basic masks for an IC costs around $1M. Very basic 2-metal process that is.

Each mask is around $100K to produce, which is why in semiconductor design, there are piles of unconnected transistors and gates that are fabbed into every IC so small revisions can be done by changing the metal layers of the mask only - minimizing the number of mask changes minimizes a huge expense.

A modern IC generally is at least a 10-metal process which eats up that $10M alarmingly quickly.

Re:Wow, a whole $10 million?

Except none of this research is making production processors. Do you have any concept of how university research works? Do you think MIT is spitting out production quality processors? No, because it's idiotic to spend a hundred million dollars to develop something that will never be used or make money. They instead design algorithms, test in simulation, and publish. Then, in five years, Intel puts it in the 5nm Running Bear Lake or whatever they are going to call it.

Re:Wow, a whole $10 million?

Yes, all the government wrangling in order to get a quarter million dollars to universities with hundreds of millions of dollars in research funds. You idiots are so sadly cynical.

Where's the rest of the money coming from?

[pupsocket]

Does four million get even one item on this list?

(from the article)
Combating integrated circuit counterfeiting using secure chip odometers--Carnegie Mellon University
Intellectual Property (IP) Trust-A comprehensive framework for IP integrity validation--Case Western Reserve University and University of Florida
Design of low-cost, memory-based security primitives and techniques for high-volume products--University of Connecticut
Trojan detection and diagnosis in mixed-signal systems using on-the-fly learned, pre-computed and side channel tests--Georgia Institute of Technology
Metric and CAD for differential power analysis (DPA) resistance--Iowa State University
Design of secure and anti-counterfeit integrated circuits--University of Minnesota
Hardware authentication through high-capacity, physical unclonable functions (PUF)-based secret key generation and lattice coding--University of Texas at Austin
Fault-attack awareness using microprocessor enhancements--Virginia Tec
Invariant carrying machine for hardware assurance--Northwestern University

So of course this whole project will need to attract international support from all those other governments grateful that the US role protects the integrity of critical hardware worldwide.

After all, those same governments will probably send their very brightest and most dedicated graduate students and post-docs to the institutions conducting the research.

Maybe they're already supporting it and working on it.

Re:Where's the rest of the money coming from?

[sillybilly]

Which is why a few transistor 80286 for DOS is such a great idea for the military. It can do a lot on the peripheral systems, and the simpler the design, the less its capabilities, the less the security risks. Centrally or in secure locations you can run complex mainframes, that you can inspect and manage the heck out of, but low cost, discardability and security out in the field beg for simplicity in design.

Re:Where's the rest of the money coming from?

[pupsocket]

and the simpler the design, the less its capabilities, the less the security risks

Yup.

Is it mad optimism to suspect that some tiny fraction of the motivation here might not be military but a concern for the integrity of electronic elections?

We're sorry, but ...

[CaptainDork]

... what with the state of education in the US, not only do we not have people with computer talent, we no longer have computer people capable of hacking.

The good news is that all Americans have been removed from the no-fly list.

The bad news is that we're screwed.

$10m or $4m?

[cdrudge]

NSF Awards $10 Million To Protect America's Processors
...
The National Science Foundation and the Semiconductor Research Corporation announced nine research awards to 10 universities totaling nearly $4 million...

One of the first things they are going to research is how to properly add numbers.

Wow! $4 Million Dollars!

[frank_adrian314159]

Dr. Evil would be proud.

Do you guys realize how minor this money is? Do you know how much research costs? Basically, this is an amount that would run one decent sized lab at a research university for maybe a year. If these are the grants we're crowing about... well, I guess it's a start.

$10M a year for five years might be reasonable to get some traction on the problem. All this will do is fund a few papers which will probably disappear. That grad students and post docs will survive another year, I guess, so that might be good.

Hahahahahaha

NSx working against NSx

some babble

The emergence and growth of blogs in the late 1990s coincided with the advent of web publishing tools that facilitated the posting of content by non-technical users. (Previously, a knowledge of such technologies as HTML and FTP had been required to publish content on the Web.)

owietlenie biurowe
Monitoring floty
Navision - BLOG
Navision
rachunek zysków i strat
NAVISION financial

Trustworthy ...

[PPH]

... is a process, not just a technology.

How do I know that some microcode hasn't been added to the CPU/GPU I've got plugged into my motherboard? Is there some sort of independant auditing process in place? Not that this would do any good. Customers of components like FPGAs have demanded methods to secure their device code from illicit inspection and copying. And any audit process would be indistinguishable from such inspection. So that isn' going to happen.

If you buy a router, how can you be sure that a back door hasn't been installed, either by the manufacturer or at some point in the unit's transit? And I suspect tht any attempt to secure such a device from tampering by those evil Chinese would trip over NSA requirements to provide exactly the same kind of access.

Re:Trustworthy ...

[skoony]

this was discussed 15-20 tears ago. the general belief was if it was't already being done it would be.

this will do no good, unless...

[WindBourne]

America also pushes the gov. to buy this and help restart the industry.

Great will they be built here?

[jbrandv]

Do the research here then send the details so they can be subverted... Oops I meant manufactured in China. That'll do a lot of good.

How is this a Federal problem?

You really must have zero concept of how universities do research.

Wow, a whole $10 million?

Do you know anything about research funding? These grants are to support graduate research work for a certain amount of time. Most of these things don't *HAVE* hardware as their outcome. Most likely, they are doing theoretical research into algorithms for detecting bugs and protecting hardware that can then be integrated into future hardware. Do you think that universities just spit out 14nm Xeons made by graduate students?

Jesus, this Slashdot discussion is just idiotic. What the hell happened to this place?

sounds good on paper

[skoony]

there will never be a processor available to the general public that doesn't have a backdoor. now if your a government or corporation with a big and i mean really big wallet... .