Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
ZY
X
W
VU
TS
RQ
PO
N
ML
K J I HG
FE
DC
BA
98
76
5
43
210
C4T
S
PV
6O
0E
KJ
5
Z2
I 1 H RD
8Q
GY
9U
3F
AM
7
NB
WLX
TOWARDS DIGITAL SOVEREIGNTY BYOPEN SOURCE (HARDWARE)2nd Free Silicon Conference, Sorbonne Université, Paris
March 14, 2019
Steffen [email protected]
Theoretische InformatikStudienbereich Angewandte InformatikHochschule RheinMain
THE REAL WORLD
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
WELCOME TO THE DESERT OF THE REAL
Smart City Vulnerability: Experts warn against attack-ing smart cities. Recently, it hit the stormwarning sys-tem in Dallas, which howled abruptly during the night.(Heise, 20.04.2017)
Audi TT: Airbags can be secretly deactivated by soft-ware.(Heise, 27.10.2015)
Fiat Chrysler: Recall of 1.4 million cars to fix remotehack(Slashdot, 24.7.2015)
Attacks on heaters - Hackers freeze Finns: In theeast of Finland unknown people have shut down sev-eral blocks of flats.(Spiegel, 8.11.2016)
3
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
NEVER TELL ME THE ODDS
Root-shell at hospital: Infusion pump with telnet-security flaw.(Heise, 05.05.2015)
Security researchers: Cars can be hacked via digitalradio(Heise, 26.7.2015)
Security flaw in the pacemaker: A firmware-upgradeshould protect patients with pacemaker against beinghacked. It is not clear whether the devices will be safeafter the update.(Heise, 11.2.2017)
Clearly, we have to fix Soft- and Hardware together (onall levels) to improve the situation!Idea: Clone the success (security!) of BSD & Linux
4
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
(SOME) REASONS FOR THE SUCCESS OF LINUX & BSD
→ The UNIX became closed source (by AT&T) → Stallmanstarted the GNU-Project (demand)
→ Free and flexible tooling, e.g. the GNU Compilercollection (GCC) (easy to use, expandable, fixable)
→ Fun makes developers successful: ”I’m doing a (free)operating system (just a hobby, won’t be big andprofessional like gnu) for 386(486) AT clones.” (Torvalds)
→ Linux is/was used for research & teaching → theknowledge is transfered from university to industry
→ Broad sharing of costs (cf. Google, Amazon, Facebook,etc.)
We need attractive, portable and productive tooling foryoung developers, a CPU-core and cryptographic sugar.Bad examples (selected): (System-)Verilog, VHDL, Xilinx,Cadence and ARM!
5
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
SOMEONE HAS TO PAY
Question: Where is Germany successful?
→ renewable energy (claimed)→ mechanical engineering→ chemical industry→ automotive industry (still) / IoT
Idea: Use old concepts, new technology and bettersoftware to build invisible, cheap and "unattractive"hardware for the IoT / automotive market to overcome ourproblems.
Goal: Improve our digital sovereignty by learning andcreating own hardware for our privacy!Claim: On the long run it is possible to use the ideas fromopen source to build open cryptographic hardware.
6
(SOME) SECURITY FOR CARS
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
I HAD A BAD FEELING ABOUT THAT . . .
A modern car has to solve a lot of critical tasks:
→ ABS / ESP / Airbag / X by Wire→ Engine control unit / Immobilizer→ Odometer (cf. §22b StVG)→ Multimedia / Entertainment
New(er) applications:
→ Car2X→ Charging of electric vehicles→ and even worse: Smart / Autonomous cars
Especially the last topic will cause a huge demand for methodsof IT-security and cryptography!
8
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
COMPLICATIONS AROSE,
Current asymmetric crypto (cf. digital signatures, certificates,digital cash, etc.) is mainly based on two computationalproblems:
PROBLEM: FACTORINGINPUT: Integer nOUTPUT: Primes p1, . . . ,pl such that p1 · . . . · pl = n
PROBLEM: DLOG(G)INPUT: A generator g of a large cyclic subgroup of G,
b = ga
OUTPUT: Exponent a
It is believed that both problems cannot be solved efficiently,but
9
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
ENSUED,
capable quantum computers can solve FACTORING andDLOG(G) efficiently (Shor’s Algorithm)!
⇒ we lose nearly all asymmetric algorithms like RSA,Diffie-Hellman key exchange, ElGamal and Elliptic Curvecryptography and all related business models.The following schedule seems realistic:
AtomicQuantumClock
QuantumSensor
IntercityQuantum
Link
QuantumSimulator
QuantumInternet
UniversalQuantumComputer
2015 2035
We need crypto for (classical) embedded systems whichwithstands attacks by quantum computers!
10
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
WERE OVERCOME
Due to lengthy development time, the automotive industryis in real trouble (also here ;-) and has to find answers!
Maybe we have found an industry with (huge) demand!
We have various methods from post-quantum cryptography:
→ Code-based PQC→ Lattice-based PQC→ Hash-based PQC→ Multivariate PQC→ Supersingular Elliptic-curve Isogeny PQC
Make them work for embedded systems!11
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
NO SECRETS
Kerckhoffs's principle is fully accepted in cryptography(except for a few fools):
→ Cryptographic algorithms and→ Software and→ applications are created having Kerckhoffs's principle
in mind!
But (cryptographic) hardware is created in a closedprocess.
We have to change this!Everybody should say this again and again, because thecurrent situation is ridiculous!
12
THE WORLD IS NOT ENOUGH
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
AN OVERSIMPLIFIED IT-SUPPLYCHAIN
Hardware description
(e.g. Verilog, VHDL)
EDA tools(synthesis, place &
route)
Preproduction(e.g. exposure mask)
Manufacturing(semiconductor fab)
Workstation
Embedded system
Hardware Development Hardware Production
Software DevelopmentUser
Applicationprogram
Chip
s
Tapeout
System redesign
Compiler & otherdevelopment tools
Operating System
Any stage of this chain can be attacked!
14
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
CAPTAIN, YOU ALMOST MAKE ME BELIEVE IN LUCK
Symmetric methods use secret keys:
→ Secure non-volatile on chip memory is needed→ We need secure random numbers→ Nice to have: PUFs (Physically uncloneable functions)
Asymmetric methods (often) need arithmetic with largenatural numbers:
→ powerful (much more than for Elliptic Curves!) µCs oracceleration-units are needed
Hence we really need really cheap hardware (mass-market!)based post-quantum crypto for automotive, the energysector, medical engineering, automation technology, . . .
15
OPEN SOURCE HARDWARE
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
SOME OPEN-SOURCE TOOLING FOR HARDWARE
We have a surprisingly large number of options:
Hard
war
ePl
ace
& Ro
ute
Synt
hesis
Test
fram
e-w
ork
Sim
ulat
ion
Test
benc
h
Met
a HD
L
Visu
alis
atio
n
Sim
ulat
ion
Debug-Output
YOSYS
SPINAL HDL
ICESTORM
ARACHNE / NEXT PNR
QFLOW
GHDL ICARUS VERILOGVERILATOR
COCOTB
CHISEL PYTHON
GTK-Wave
Executable / Debug-O
utput
AS
IC-Layout
Lattice Bit-File
Legacy Code
Legacy Code
C�ASHMYHDL
Debug-Output
SpinalSim
VHDL
Verilog
PYTHON
17
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
A NEW HOPE
A project for one semester (computer science) by Lars Müller,Jens Nazarenus, Daniel Schultz and Marius Sternberger led toa VexRISCV derivate with hardware acceleration for thestream cipher ChaCha.The design is completely based on SpinalHDL, VexRISCV,VexRiscv-CCOPI1 (hosted on github):
→ 277 MHz clock→ speed-up (hardware acceleration) ≈ 3→ 1950 LUTs on an Artix-7 FPGA (without acceleration 1670
LUTs)→ modified gcc (intrinsics for ChaCha)
1https://github.com/jens-na/VexRiscv-CCOPI.git18
https://github.com/jens-na/VexRiscv-CCOPI.git
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
A NEW HOPE (II)
The project delivered an ASIC (simulation at the moment) too:
→ 50 MHz clock→ 35000 Gates / 350 nm→ 2 kB ROM / 4 kB RAM→ 8.9 mm2
Price (Europractice): 8402e for 40 pieces.
→ JTAG needs to befixed!
→ Next project: Port thisdesign to 180nm (moreRAM).
Open Source can build complex crypto-hardware!19
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
TO BE AND NOT TO BE, THAT IS THE QUANTUM QUESTION
Using VexRISCV Ingo Braun implemented hash-basedpost-quantum algorithms (XMMS2).Use the Murax Soc VexRISCV-variant with mul/div and BarrelShifter (2044 LUTs / 1448 FF) on an Artix7:
→ Keccak-1600: 6110 LUTs, 3115 FF 3115 and FMax 105MHz. One hash-step needes 31 cycles.
→ SHA2-512: 4131 LUTs, 3052 FF and FMax 106 Mhz. Onehash-step needes 71 cycles.
→ Haraka512: 6046 LUTs, 2535 FF and FMax 105 Mhz. Onehash-step needs 17 cycles.
We can build post-quantum enhanced CPUs now!2https://eprint.iacr.org/2011/484.pdf and RFC 8391
20
https://eprint.iacr.org/2011/484.pdf
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
TOWARDS A LOW-COST SENSOR FOR IOT APPLICATIONS
Reimplementation3 of the J1-CPU from James Bowman(cf. Harris RTX 2010) using the Meta-HDL SpinalHDL (total:1233 LoC) gives:
→ 120 MHz clock (1 cycle per instruction) on a Xilinx Artix7→ Forth-System in 5KB RAM (max. 8KB RAM)→ Resources: approx. 317 LUTs (293 Logic / 24 Memory), 2
BRAMs, total system: 931 LUTs 1.5% of a XilinxArtix7-100)
→ Port to Lattice ICE40HX8K (IcoBoard) 2031 LUTs (max.7680 LUTs), 18 BRAMs (max. 32 BRAMs), 42 MHz clock
→ FORTH-implementation of AES-128 (Encrypt) does 3.2kB/sec@ 100Mhz
3https://github.com/SteffenReith/J1Sc21
https://github.com/SteffenReith/J1Sc
THE FUTURE
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
DIFFICULT TO SEE. ALWAYS IN MOTION THE FUTURE IS!
Possible ways to improve the (desperate) situation:
→ We need a broad discussion about the fact that wenearly lost control (CPUs / Fabs / KnowHow) onEuropean level. Interestingly China (and Russia) has anown microprocessor family and EDA tooling (why?).
→ We need open, certified (special laws?) and provencomponents to push the local industry (startups!).Prototypes (publicly funded?) of production readyHardware-Security Modules.
→ Back to the roots! Much more computer engineering atuniversity level (bachelor/master/PhD). We don’t haveenough engineers for semiconductor design.
23
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
WHAT ELSE TO DO
→ Improve the open tooling for making and proving chips(costs are prohibitive for startups / small companies) →new ideas from small groups.
→ Fund (true) startups (established companies have shownthat they cannot improve the situation), create alternativesfor young engineers.
→ A modern and accessible Fab (public infrastructure?).Otherwise we have no control (prize / know-how /hardware trojans). Maybe similar to the idea of PCB-Pool.
→ We need laws that demand to use open hardware forcritical applications → strong impact (cf. RoHS and CE)and equal costs for competitors on the market.
→ Work together! The advantage of the other regions ishuge. One (big) company / university cannot do this alone.
24
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
FURTHER READING
SECURITY, SAFETY AND FAIR MARKET ACCESS BY OPENNESS AND CONTROL OF THE SUPPLY CHAIN
SOVEREIGNTY IN INFORMATION TECHNOLOGY
WHITE PAPER V1.0, MARCH 2018
Arnd WeberSteffen ReithMichael KasperDirk KuhlmannJean-Pierre SeifertChristoph Krauß
http://www.itas.kit.edu/pub/v/2018/weua18a.pdf25
http://www.itas.kit.edu/pub/v/2018/weua18a.pdf
The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future
Thank You!
26
The Real World(Some) Security for CarsThe World Is Not EnoughOpen Source HardwareThe Future