[117907] in Cypherpunks
[crisp@netcom.com: Re: chips, trust, waldoes, ultranoia etc.]
daemon@ATHENA.MIT.EDU (Dave Emery)
Tue Sep 14 21:19:59 1999
Date: Tue, 14 Sep 1999 20:43:28 -0400
From: Dave Emery <die@die.com>
To: cypherpunks@toad.com
Message-ID: <19990914204328.A4296@die.com>
Mail-Followup-To: cypherpunks@toad.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Reply-To: Dave Emery <die@die.com>
----- Forwarded message from Richard Crisp <crisp@netcom.com> -----
Date: Mon, 13 Sep 1999 20:22:12 +0000
From: Richard Crisp <crisp@netcom.com>
To: Dave Emery <die@pig.die.com>
CC: richard crisp <crisp@rambus.com>
Subject: Re: chips, trust, waldoes, ultranoia etc.
Anonymous wrote:
>
> At 09:16 AM 9/13/99 -0700, Tim May wrote:
> >>There are a lot of people at the Fabs who need green cards.
> >
> >Paranoid, ignorant bullshit.
> >
> >Designs don't work this way. Fabs don't change designs. Even designers who
> need green cards don't get to change designs.
>
> You think all those 'Waldos' on chips were designed in?
>
> Ok, let me be more precise. *Mask layout people* get the final say.
That is a crock of shit. No engineer that makes his chips work doesn't
check the work of the mask designer. But with modern connectivity
verification tools and with behavioural simulation of layout extracted
schematics versus the design schematic, the back doors have to be
designed in. With formalized verification that is now use on complex
digital chips, that would be difficult to get away with as well.
Basically the chip logic design engineers and the verification engineers
would have to be in cahoots to make something like that fly with modern
design methodology. I suppose in theory a person that wrote the
specification that defined what the chip was to do would be able to
build in back doors, but usually there is a lot of cross checking by
designers back to spec guys cross checked by verification people. If you
want to build a back door, then all three really most likely would have
to be cooperating on it.
> (They are the typesetters; Fabs are the presses,
> chip designers the authors. Authors skim galley proofs, and presses just
> print what they're given. The typesetter can have some fun.)
>
> Certainly you can do much more complex (devious) things
> if you build in your back door at the HDL level. But its
> hard to trust something made by so many, no matter how
> much the master chef talks about the freshness of ingredients. Other cooks
> could have poisoned the soup.
>
> Not only the HDL, but the tools which generate the masks
> from the HDL should be inspectable. Not "Free", or "Open Source", etc.,
> but inspectible. Then you can, by regenerating and comparing, verify that
> the production masks have no special undocumented features.
>
> (Switching to s/ware)
> You think there's no way a microsoft security-systems
> programmer could be bought with patriotism and a carrot?
> "Debugging code" and "forgot to remove it from the release" make
> fine deniability.
>
> If we could inspect the MS source, and run it through
> their production compiler, we could compare bit by bit
> for object level mods. (This is in addition to
> a regular security analysis of the source itself)
>
> For a chip, if we could inspect the HDL,
> run it through Synopsys with the correct library and
> settings, and get the masks we see on chip, we have
> high assurance that the chip does what the source says it does
> *and nothing else*. (Of course assuring that the source code
> does what the *specs* require, and that the specs require
> the right thing, is another problem..)
>
> -Wait til they see the bats...
This last comment was inspired by "Fear and Loathing in Las Vegas". It
was in the book and in the movie!
rdc
>
>
----- End forwarded message -----
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
