1

WhyHardware?Special-PurposeHardwarePreventsCybersecurityAttacks

J.Cox9September2019

AbstractCybersecurityattacksareincreasinglyprevalentandmanyproductshavebecomeavailablefordetectingsuchattacks.However,fewproductscanbefoundthatpreventthesemaliciousattacks. In these pageswe examine the advantages of using special-purpose hardware toprotecttheconfidentialityandintegrityofdata.Thisprotectionincludesencryptionofdata,authenticationofthedatasource,verificationthatthedatahavenotbeencorruptedandhavebeen transmitted over explicitly authorized links. Only the cybersecurity functions ofencryption,authentication,authorization,integrityandnootherfunctionsarebuiltintothespecial-purposehardware.It’simpossibletosuccessfullyexecuteanattackfromanuntrustedendpointbecausethere’snomemorythatcanbealteredtostoreandexecutemalware.Thesamefunctionscanberealizedusingageneral-purposecomputer,where itsmemoryandCPUwouldstoreandexecutetheappropriatesoftware.However,usingageneral-purposecomputer risks harmful malware attacks that might compromise the computer, wholenetworks and ultimately even the nation’s critical infrastructure. The universal nature ofgeneral-purposecomputersmakesthemuniquelyvulnerabletoattackwhilespecial-purposehardwareremainssafe,evenfromattacksbythemostdeterminedadversaryoperatingfromanyuntrustedendpoint.Toexplaintothenon–technicalreaderthedifferencebetweenageneral-purposecomputerandspecial-purposehardware,weemployawhimsicalanalogybetweenamedievalcastleand a general-purpose computer. The castle walls do not thwart the clever brigands(malicious network packets)who enter through nooks and crannies to reach the castle’sinner workings. Once inside they practice their mischief beyond the eyes of the castle’schamberlain(operatingsystem).However,aknight(special-purposehardware),whoseonlywishistothwartthebrigandsbeforetheyreachthecastle’sdrawbridge(networkinterfacecontroller),providestrustworthyprotection.Thecastle’schamberlain,nomatterhowclever,cannotprovidethesameprotectionwhileperforminghismanyduties.Incontrast,theknightdoesonethingandonethingonly.Thisanalogywillnotsatisfythemoretechnicallyorientedreader.Accordinglyananalysisofthecybersecurityprotectionofferedbygeneral-purposecomputersandbyspecial-purposehardware is presented in a final section of this document. A general-purpose computercannot be shown to be provably safe from an attack launched by an untrusted endpointwithout enforcement of strict control over all its executable code. The placement of allcybersecurityfunctionalityinseparate,special-purposehardwarecanbeproventobesafefromsuchanattack.Ithasotheradvantagestoo.Cybersecurityprotectioncanbedroppedintoexistingfixed-endpointnetworkswitheaseandwithouttheneedforaddedsoftwareorthereplacementofexistinghardware.Insummary,special-purposehardwarecanbeproventobesafefromattackbyuntrustedendpointsand,inaddition,cybersecurityfunctionalitycanbeseparatedfromthemanyothertasksrequiredofageneral-purposecomputer.Thismakesitmucheasiertounderstandthelevelofsecurityexhibitedbyacomputeranditsnetwork.

2

AnalogyItmaybehelpfultothinkofyourcomputerasyourcastle,onethathasalonglineofvisitorseachcarryingpacketsofinformationfromothercastles,nearandfar.Someofthesevisitorshaveharmfulintentandyouroperationsandsecurityminister,thelordchamberlain,checksthemallathisdeskjust insidethedrawbridge.However,someoftheattackersavoidthischeckandlookforvulnerabilitiesthroughoutthecastleanditswalls.Inevitably,awindowordoor has been left ajar and the attacker entersmasquerading as a steward (data). Castleservants, who receive instructions from such an imposter,may view him as a legitimatesteward with the result that the attacker has effectively taken control of one or morefunctionsofthecastle.Thefollowingsketchillustratesthissituationinawhimsicalmanner,butitisaprovocativementalanalogysuggestingeventsthatcanhappeninageneral-purposecomputer. In fact,imagine that the castle (general-purpose computer) controls a portion of the kingdom’scritical infrastructure or transfers money to and from neighboring castles. Wherevercybersecurityisahighpriorityandactivitiesaremanagedbyageneral-purposecomputer,thisanalogysuggeststhatthereisanopportunityforcybercriminals.

YourComputerisaCastleAttackersareEverywhere

ArtprovidedbyChrisRauArtThereisamoataroundthecastle,butitisoflittlevalueiftheattackersareallowedacrossthedrawbridge tobe screenedby the chamberlain.Thedrawbridge is analogous to yournetworkinterfacecontroller(NIC)andonceacrossthemoattheattackerscanfindapoorlyprotectednookorcrannyandcorrupt,destroyorencryptthecastle’srecords.Theycanalso

3

exitcarryingvaluablerecordsviathereargatemarchingalongwithallthebenignvisitorsandemissariesthatyouhavesenttodoyourbiddingelsewhereinthekingdom.Insteadofallowingthevisitorsandtheirpacketsinsidethecastlewalls,itisbettertocheckthemastheyapproachthemoat.Asthesketchbelowsuggests,thereisaQ-Knightstationedtherethathasbeenselectedbecauseofhisobsessive,compulsivedemeanor.Heinsistsonathoroughcheckofallincomingtravelers.TheQ-Knight’sdutiesarecompletelydifferentfromthose of the chamberlain who performs a myriad of functions and acts as the castle’soperating system. The Q-Knight does one thing and one thing only: authenticate andauthorizevisitors.

YourComputerisaCastleProtectitwithQ-NetSecurity

ArtprovidedbyChrisRauArtThus, inourwhimsicalanalogy theOCD-taintedQ-Knightstationedat theentrance to thedrawbridgecarriesouttheseauthenticationandauthorizationchecks.NoattackercanoutwittheQ-Knightandallvisitorsthatfailthechecksorarrivewithoutcredentialsfromatrustedcastlearecastaside.Themoatkeepstheejectedattackersfromreachingthecastlewall.In the real world, it is best to employ special-purpose hardware, whose only job is toauthenticateallincomingtraffic,makesureeachpacketisauthorizedandflawless.Onlythenwillthepayloadbedecryptedandtransferredintoyourcomputer.Q-NetSecuritycarriesoutthisagendaoutsideyourcomputerusingspecial-purposehardwarethatisdesignedforthatfunction alone. It is called the Q-Net Input-Output Unit (QIO) and this smartphone-sizeddeviceperformsafixedsequenceofstepsswiftlywithoutanypossibilityofcompromise.

4

AnalysisTheanalogydescribedabovemaybehelpful tosomereaders,but toothers itwillnotbeconvincing. To satisfy these others, it is necessary to understand the pivotal differencebetweenspecial-purposehardwareandgeneral-purposecomputers.Itisalsoadvantageoustoconsiderarelevanttheoreticalcomputerscienceresult.Therearemanyexamplesofearlyapplicationsofspecial-purposehardware:theJacquardloom,theBabbageDifferenceEngine,punchcardsortingmachinesandthecode-breakingColossusofWWII.Thesemachineswerealldesignedforasinglejob.ThelistedmachinesallpredatedEniac,thefirstgeneral-purposecomputer,whichwaslaunchedattheUniversityofPennsylvaniain1945.Sincethen,becauseoftheircomputationalpotential,general-purposecomputershaveeclipsedspecial-purposehardware.Theirabilitytointerweaveinstructionsanddataintroduceslimitlessflexibilityandunboundedcomputationalvariety,aresultthatwasproven theoreticallybyAlanTuring in1936.However, this enormous computationalblessing comes with the unforeseen cybersecurity curse: the potential for inadvertentexecutionofmalwaredeliveredbyattackerslocatedelsewhereonthecomputer’snetwork.Toexplain this fundamentalvulnerability that resides inageneral-purposecomputer,wemustunderstandthatboththelistsofinstructions(software)andthedatatobeprocessedare stored inmemory inaway thatmakes them intrinsically indistinguishable fromeachother.Theybotharereallyjustnumbersandthesamenumbercanserveasaninstructionorasadatavaluedependingonlyonthecircumstancesofitsuse.Theprocessingengine(CPU)inageneral-purposecomputerhasnofoolproofwaytotellthedifference.IftheCPUreadsadata value when expecting an instruction, it will unfailingly execute the instruction thatcorrespondstothatdatavalue.Thisinterweavingofcontrolanddataistheweaknessthatattackersemploytoaccomplishtheirmischief.Carefuldesignandcodingofthecomputer’soperatingsystem(OS)canhelptoprotectagainstthiskindofattack.Forexample,amicrokernel(seL.4)hasbeenformallyproventosatisfytheclassicsecuritypropertiesofdataintegrityandconfidentiality.However,troubleoccursassystemsgrowincomplexityorevolveovertime.Forexample,designersarechallengedtomaintaincybersecuritywhentheirdesignsgrowtoincludemultiplethreads,multiplelevelsofmemoryandmultiplecores.Despitegeneral improvements inthesecurityofrecentOSversions,manyusershavelingeringdoubtsthatmayleadthemtoneglectanupgradeevenwhen it is beneficial to security todo so. However, new code andnew functionalitywillalwaysleadtosomeincreasedrisk,eventhoughthatriskmaybedecreasingwithtimeastheindustry gets better and better at writing more secure software. However, the moreexecutablelinesofcodethereare,thegreaterthepotentialforsecuritylapses.Beyondsuchsoftware flaws,multiplebenignapplicationprogramscan interact toprovide the footholdthatanattackerusestoexecuteharmfulcode.Recentlylongdormanthardwaredesignlapses(SPECTREandMELTDOWN)havebeenfoundtoprovidesubtleaccessforattackerswishingtobreachconfidentiality.Withtensofbillionsoftransistorsandtensofmillionsoflinesofcode in an endpoint computer, policing the trustworthiness of every possible interactionbetweeneveryinstructionandeverydatavalueisunattainable.Butwhynotputallthenecessarycybersecurityprotectionintoaprogramthatisinstalledonyourcomputerandthenfindawaytoproveyourcomputerissafeagainstaremoteattack?

5

ToexplainwhythatisanimpracticalideaweneedtoreturntoAlanTuring’spivotal1936paper. That paperproved the existence ofwhatwenow call general-purpose computers,computersthatwereallequivalenttoeachotherinthesensethattheywereuniversalintheirabilitytoeventuallycalculateanythingthatiscomputable.Turing’s1936paperalsoprovedan important result known as the Turing halting problem, the problem of determiningwhetheranarbitrarycomputerprogramwithanarbitraryinputwillfinishrunning(i.e.,halt)orinsteadrunforever.Turingshowedthatsuchaquestionwasundecidable.BybuildingontheworkofTuring,Kirkpatrick1hasrecentlyshownthatcomputersecuritywithin a general-purpose computer is algorithmically intractable. Even by comparing asuspected operating systemwith an authentic copy, the task of locating the first byte offoreignmachine code thatmight executewas shown to be undecidable. Thus, to preventattackswith certainty requiresmeticulous control of all input data,web interactions anddownloads.Normally,thisdegreeofoversightisunacceptableinall,butthemostsensitiveofapplications.Instead of trying to patch the many vulnerabilities associated with a general-purposecomputer,thecybersecuritymanagershouldconsidertheuseofspecial-purposehardware.TheQ-NetSecurityQIOproductemployssiliconthatencrypts,decrypts,authenticatesandauthorizesallcommunicationand,inaddition,includesimportantfunctionalitytogenerateandmanageallpacketsandkeys.Special-purpose hardware, such as the QIO, that executes no other functions than thoserequired for cybersecurity protection, can never be breached by packets sent from anuntrustedlocation.TheQIOcannotbeprogrammedorreprogrammedtoperformanyactionsother than the specified cybersecurity functions. A breach is impossible even when theattackerspoofsthepacket’ssource-addressbecauseofthepotentauthenticationprovided.Furthermore, the QIO has no memory for the storage of malware instructions and theconfidentialityofallexporteddataareautomaticallyprotectedbystrongencryption.Thus,protectionagainstattacksfromanuntrustedendpointcanbeprovedandtheconfidentialityofexporteddataisalwaysprotected.ContrasttheeaseofuseandtheprovablesafetyagainstattackprovidedbytheQIOwiththeabsenceofthosequalitiesinageneral-purposecomputer.WiththeQIOtheusercanobtaincybersecurityprotectionwithoutchangetohabitsorthereplacementoflegacyequipment.TheproofofsafetyagainstremoteattackliesintheimmutabilityofthemicrocircuitwiresthatdeterminethesequenceofQIOcybersecurityoperationsincluding:

• Truerandomkeygeneration• Frequentandreliabledeliveryofkeystoauthorizeddestinations• Cryptographicwrappingofkeysfordelivery• Payloadencryption• Payloaddecryption• Authenticationofsources• Authorizationoftransactions

The QIO performs all these operationwithout significant impact on link bandwidth, linklatencyorendpointthroughput.IdealapplicationsfortheQIOinvolvemachine-to-machinecommunication between endpoints connected by IP networks such as an ICS/SCADA

1BrentKirkpatrick;https://www.intrepidnetcomputing.com/security/whitepapers/undecidable.pdf

6

network.Endpointscanbelocatedanywhereintheworld.Thetransportmediumcanutilizeprivatenetworks,publicnetworks,copper,opticalfibers,wirelesslinksoranycombinationthereof.IfthenetworksuccessfullytransportedtrafficbetweenthefixedendpointsbeforeinstallationoftheprotectingQIOs, itwilldosoaftertheir installation.TheQIOprotectiondrops in without software updates, without any changes to existing network links andwithoutmodificationofconnectedequipment.ThemajoradvantagesofQ-NetSecurityapproachare:

• AfterinstallationofaQIO,anendpointcanbeproventobeprotectedagainstmalwareattack.

• DistributedDenialOf Service (DDOS) attacks arebluntedbecause theQIOdeletesthesetroublesomepacketsandtherebyprotectstheendpointfromharm.

• Nochangesoradditionstoanendpoint’slegacy-codearerequired.Nomodificationofexistingequipmentisneeded.

• TheexternalplacementoftheQIOprotects,butdoesnotintrudeontheendpointandsodoesnotreducetheendpoint’sprocessingcapability.

• The cryptographic functions of key-generation, key-management, encryption,decryption,authenticationandauthorizationarecarriedoutfaithfullyandprivatelyintheQIO.This is incontrasttoageneral-purposecomputer,whereadeterminedadversarycanoftenfindwaystoaccesstheseessentialcryptographicfunctions.

Insummary,weproposethatthecurrentperimeter-based(firewall)approachtoestablishingcybersecurityprotectionbeabandonedinfavorofprotectionplacedateachfixedendpoint.TheQ-NetSecuritysolutionisaperfectwaytoprotectconnectionsbetweendata-centers,betweenindividualnodesindata-centersandbetweenICS/SCADAnodesinfactories,officesandatthecontrolpointsofournation’scriticalinfrastructure.Ourapproachtakesadvantageof the immutability of function provided by the QIO’s special-purpose hardware. Theinevitable vulnerability of a general-purpose computer is thereby completely avoided.Finally, the strong protection provided by the QIO drops into a properly functioning IPnetworksmoothlywithoutchangetoexistinghardwareandsoftware.