We Want To Believe

Defenders battle attackers, using the platforms they have, not the platforms they wish they had. Builders and defenders hold persistent beliefs about software and hardware platforms. Every day, persistent attackers set out to prove defenders’ beliefs wrong. After an attacker succeeds, their unscheduled observations may join the Observe-Orient-Decide-Act (OODA) loop of product managers in platform security supply chains.

If “Trust, but Verify” is the motto of information security, “Buy, then Believe” could be the motto of modern mass production and post purchase regret-mitigation marketing. Volume creates self-fueling economies of scale. With sales volume driving profits for research and development, even initially-weak implementations can eventually narrow the gaps between marketing, engineering, customer beliefs and attacker observations.

High deployment volumes increase the chance of a platform bearing data targeted by the most competent attackers. Oft-ignored docs may specify “X” and builders may believe “Y”, but attackers will relentlessly sift the legacy detritus of high-volume platforms in search of “Z” — archaeological clues to profitable exploits. As software eats the world, how long can we wait for builders, attackers and defenders to traverse this loop?

The future of hardware is already here, time-shifted and distributed across semiconductor foundries, microelectromechanical sensor (MEMS) manufacturers, and electronic design automation (EDA) software, mapping analog signals with new materials, processes and algorithms. With signposts from prototype benches and draft specifications, we can reevaluate past designs in the light of future possibilities.

Four decades after ARPANET—precursor of the modern Internet—threats have evolved and the need for resilience has expanded from networks to chips—the networks of chips which comprise modern devices. New sensors and chips invite new interconnects, topologies, protocols and supply chains, advancing latency, bandwidth, size, weight, power … and threat models.

Is vertical integration the only way to manage the complexity of post-Moore, domain-specific, heterogeneous computing? Can markets support open protocols with small attack surfaces and low complexity, enabling safe composition of platforms with multi-vendor components? Transparent design is possible even in contested domains, with stable open-source hardware and software components mediating domain-specific, rapidly evolving commercial/defense components from fiercely competitive suppliers.

Open security architectures can preserve interoperability, encourage competition and amortize rare human talent across multiple domains. Modern hardware-assisted isolation and inter-partition communication enable access-controlled composition of open and/or obscure components. They separate auditable enforcement mechanisms from reusable security policy, allowing profitable customization for supply chains, business workflows, evolving threat models and domain-specific defense.

In the era of connected devices and remote updates, when does product maintenance end? If firmware and software teams have moved onto new devices, who will service the industrial base of deployed devices? What are the incentives for attack on centralized continuous integration (CI) platforms, which screen patches and validate security fixes? We use platforms to build platforms. Can we inventory our supply chains and platform roots of trust for DevSecOps?

Platform Security Summit 2019, Oct 1-3 in Redmond, WA, USA, was an experimental conference for narrowing gaps between platform security beliefs and archaeology, to help builders and defenders converge on the platforms they wish they had.

This year, we were pleased to welcome ~100 attendees from ~50 companies, with 35 presenters from academia, research, vendors and operators, sharing builder, defender and attacker expertise in hardware, firmware and platform integrity for Arm, Power, RISC-V and x86 architectures. Many of the above topics were discussed in presentations and challenging Q&A discussions.

Many thanks to Microsoft for hosting the conference in Redmond, Intel for sponsoring the networking event, OpenEmbedded and Software for the Public Interest for their fiscal sponsorship of the conference, and most of all —PSEC 2019 participants— for co-creating a learning lab for builders and defenders, across terminology, expertise, roadmaps and platforms.