Secure IT without vulnerabilities and back doors

Authors

DOI:

https://doi.org/10.14512/tatup.29.1.30

Keywords:

cybersecurity, sovereignty, open source, verification, supply chain risks

Abstract

Increasing dependence on information technology calls for strengthening the requirements on their safety and security. Vulnerabilities that result from flaws in hardware and software are a core problem which market mechanisms have failed to eliminate. A strategy for resolving this issue should consider the following options: (1) private- and public-sector funding for open and secure production, (2) strengthening the sovereign control over the production of critical IT components within an economic zone, and (3) improving and enforcing regulation. This paper analyses the strengths and weaknesses of these options and proposes a globally distributed, secure supply chain based on open and mathematically proved components. The approach supports the integration of legacy and new proprietary components.

References

Becker, Georg; Regazzoni, Francesco; Paar, Christof; Burleson, Wayne (2014): Stealthy dopant-level hardware Trojans. Extended version. In: Journal of Cryptographic Engineering 1 (4), S. 19–31.

Bruneau, Nicolas et al. (2019): Development of the unified security requirements of PUFs during the standardization process. In: Jean-Louis Lanet und Cristian Toma (Hg.): Innovative Security Solutions for Information Technology and Communications. Cham: Springer, S. 314–330.

Chlipala, Adam (2017): Coming soon. Machine-checked mathematical proofs in everyday software and hardware development. Chaos Communication Congress. Leipzig, Deutschland, 27.–30. 12. 2017. Online verfügbar unter https://events.ccc.de/congress/2017/Fahrplan/events/9105.html, zuletzt geprüft am 06. 11. 2019.

Data61 (2020): The HACMS project @ Data61. Online verfügbar unter https://ts.data61.csiro.au/projects/TS/SMACCM/, zuletzt geprüft am 08. 01. 2020.

Eurosmart – European Smart Card Association (2014): Security IC platform protection profile with augmentation packages. Version 1.0. Online verfügbar unter https://www.commoncriteriaportal.org/files/ppfiles/pp0084b_pdf.pdf, zuletzt geprüft am 06. 11. 2019.

hartpunkt.de (2018): Hensoldt kooperiert mit CSIROs Data61. Online verfügbar unter https://www.hartpunkt.de/hensoldt-kooperiert-mit-csiros-data61/, zuletzt geprüft am 08. 01. 2020

Hettinga, Wisse (2019): Sixteen core RISC-V processor Xuan Tie 910. Alibaba. In: EENewsEurope, 25. 07. 2019. Online verfügbar unter https://www.eenewseurope.com/news/sixteen-core-risc-v-processor-xuan-tie-910-alibaba, zuletzt geprüft am 06. 11. 2019.

Huang, Andrew (2019): Supply chain security. „If I were a Nation State“. BlueHat IL 2019. Israel, Tel Aviv, 06.–07. 02. 2019. Online verfügbar unter https://www.youtube.com/watch?v=RqQhWitJ1As&list=UUp892CjX6wps88JivisRMtA&index=6&t=0s, zuletzt geprüft am 21. 01. 2020.

Kiss, Balázs; Kosmatov, Nikolai; Pariente, Dillon; Puccetti, Armand (2015): Combining static and dynamic analyses for vulnerability detection. Illustration on Heartbleed. In: Nir, Piterman (Hg.): Hardware and software. Verification and testing. Cham: Springer, S. 39–50.

Klein, Gerwin et al. (2014): Comprehensive formal verification of an OS microkernel. In: ACM Transactions on Computer Systems 32 (1), S. 2:1–2:70.

Liang, Qiao; Wang, Xiangsui (1999): Unrestricted warfare. Beijing: PLA Literature and Arts Publishing House. Online verfügbar unter https://www.oodaloop.com/documents/unrestricted.pdf, zuletzt geprüft am 06. 11. 2019.

Libre Silicon (2020): Libre Silicon. Free semiconductors for everyone. Online verfügbar unter https://libresilicon.com/, zuletzt geprüft am 08. 01. 2020.

MITRE (2019): CVE Details. Online verfügbar unter https://www.cvedetails.com/browse-by-date.php, zuletzt geprüft am 06. 11. 2019.

Müller-Quade, Jörn; Reussner, Ralf; Beyerer, Jürgen (2017): Karlsruher Thesen zur Digitalen Souveränität Europas. Online verfügbar unter https://www.fzi.de/fileadmin/user_upload/PDF/2017-10-30_KA-Thesen-Digitale-Souveraenitaet-Europas_Web.pdf, zuletzt geprüft am 21. 01. 2020.

Odlyzko, Andrew (2019): Cybersecurity is not very important. In: Ubiquity, Issue June, S. 1–23.

Salmon, Linton (2017): A perspective on the role of open-source IP in government electronic systems. 7th RISC-V Workshop. Milpitas, USA, 28.–30. 11. 2017. Online verfügbar unter https://content.riscv.org/wp-content/uploads/2017/12/Wed-1042-RISCV-Open-Source-LintonSalmon.pdf, zuletzt geprüft am 21. 01. 2020.

Saltzer, Jerome; Schroeder, Michael (1975): The protection of information in computer systems. In: Proceedings of the IEEE 63 (19), S. 1278–1308.

Sauter, Marc (2019): Wieso RISC-V sich durchsetzen wird. In: golem.de, 17. 10. 2019. Online verfügbar unter https://www.golem.de/news/offene-prozessor-isa-wieso-risc-v-sich-durchsetzen-wird-1910-141978.html, zuletzt geprüft am 21. 01. 2020

SBIR – The Small Business Innovation Research Program (2018): Open source high assurance system. Online verfügbar unter https://www.sbir.gov/sbirsearch/detail/1508741, zuletzt geprüft am 06. 11. 2019.

Seifert, Jean-Pierre; Bayer, Christoph (2015): Trojan-resilient circuits. In: Al-Sakib Pathan (Hg.): Securing cyber-physical systems. Boca Raton: CRC Press, S. 349–370.

Sengupta, Abhrajit; Nabeel, Mohammed; Knechtel, Johann; Sinanoglu, Ozgur (2019): A new paradigm in split manufacturing. Lock the FEOL, unlock at the BEOL. In: Proceedings der Design, Automation & Test in Europe Conference & Exhibition 2019.

Šišejković, Dominik; Merchant, Farhad; Leupers, Rainer; Ascheid, Gerd; Kegreiss, Sascha (2019): Control-lock. Securing processor cores against software-controlled hardware Trojans. In: Proceedings des ACM Great Lakes Symposium on VLSI, S. 27–32.

Snowden, Edward (2013): Worldwide SIGINT. Online verfügbar unter https://edwardsnowden.com/wp-content/uploads/2013/11/nsa1024.jpg, zuletzt geprüft am 21. 01. 2020.

Weber, Arnd; Reith, Steffen; Kasper, Michael; Kuhlmann, Dirk; Seifert, Jean-Pierre; Krauß, Christoph (2018a): Sovereignty in information technology. Security, safety and fair market access by openness and control of the supply chain. Karlsruhe: KIT-ITAS. Online verfügbar unter https://www.itas.kit.edu/pub/v/2018/weua18a.pdf, zuletzt geprüft am 21. 01. 2020.

Weber, Arnd; Reith, Steffen; Kasper, Michael; Kuhlmann, Dirk; Seifert, Jean-Pierre; Krauß, Christoph (2018b): Open source value chains for addressing security issues efficiently. In: Proceedings der IEEE International Conference on Software Quality, Reliability and Security Companion 2018, S. 599–606.

Wikipedia (2020): Apple A11 Bionic. Online verfügbar unter https://de.wikipedia.org/wiki/Apple_A11_Bionic, zuletzt geprüft am 21. 01. 2020.

Published

01.04.2020

How to Cite

1.
Weber A, Heiser G, Kuhlmann D, Schallbruch M, Chattopadhyay A, Guilley S, Kasper M, Krauß C, Krüger PS, Reith S, Seifert J-P. Secure IT without vulnerabilities and back doors. TATuP [Internet]. 2020 Apr. 1 [cited 2024 Apr. 13];29(1):30-6. Available from: https://www.tatup.de/index.php/tatup/article/view/6792

Most read articles by the same author(s)