When designing and implementing general purpose processors with security features, assessing the design’s security and vulnerability to various attacks is a full-time activity. Claims of security are always subject to assessment and testing.
In order to maintain a public claim to secure processing, however, requires another discipline practiced at CPU Tech which we call the management of ‘Hardware Design Exposure’. A simple definition of design exposure is maintaining the company secrecy of the design itself and the breadth of its capabilities, as well as an internally managed program to carefully select our customers and inventories.
It is a fact that the higher the production volume of a given embedded processor and the more customers buy it, the less inventory control takes place and the higher ‘public exposure’ to the design takes place. This means there are more opportunities by foreign governments and sources, potential counterfeiters, and malicious players to obtain devices and reverse engineer them. This leads to more potential vulnerabilities, and therefore a less secure device or solution.
Protecting program information according to its exposure level is an idea that preceded the DoD’s modern anti-tamper program. ‘Program Protection Plans’ required under DoD 5200.1M describe “a set of processes and infrastructure that guard or limits the exposure of information about critical technologies or operational employment schemes during the development and initial fielding phases of a system’s life cycle”. This is cited in one of the original articles on DoD Anti-Tamper Technology by Lt Col Scott Huber and Jennifer Scott.
Managing hardware design exposure is a difficult task for a small company, and an arguably impossible task for a large company, producer, or manufacturer. For this reason, most security programs and strategies will only invest in hardware design exposure management for a small or limited quantity component producer, and necessarily assume that counterfeiters and malicious players have full access to hardware designs for large quantity component producers. This does not necessarily mean that the small producer has a more secure device, but it does mean that the small producer has one more tool available in developing high security devices.
Intelligently managing the details of the secure processor design does not mean hiding details from customers. However, it does mean that customers will be carefully selected and screened before sharing a significant degree of design information on the secure processor or component. Public inquiries into security features and designs will not, for the most part, be answered. This poses a significant challenge in the sales and fulfillment process, requiring a higher than normal trust relationship between CPU Tech and its customers.
The more active CPU Tech is in limiting exposure and protecting its design information and features, however, the more reliant we become on third-party assessments and vulnerability analyses of the secure processor. For this reason, additional trust relationships need to be developed with government and non-government assessors and lead customers who perform their own internal evaluations of secure processor products.
While there is absolutely a time, place, and argument for open source in security software and firmware for widely distributed applications and national infrastructure, there is also a solid business case for exposure management and mitigation for smaller, less exposed security requirements and solutions. Most players in the security industry are well aware that security is better described as a race against aggressors, and not gate or threshold to be defined and then crossed. For this reason, the principles of Sun Tzu are applicable for many secure processor applications:
“He is skillful in defense whose opponent does not know what to attack.” — Sun Tzu