Fabrication and design phases of all critical TRUSTLESS hardware components will be subject to oversight processes, or CivicSite (also “Civicfab”), that aims to substantially exceed in end-user-assurance those of even Common Criteria EAL5-7 Site Certifications and NSA Trusted Foundry Program, at substantially lower costs. CivicSite oversight processes for all critical phases (which cannot economically be verified ex-post) will involve extreme safeguards, including using only CivicDevices for critical functions, and including on-site offline oversight of 5 randomly-selected trained citizen-witnesses, similar to polling station processes in governmental elections.
Why is the CivicSite needed and cost-effective? CivicSite processes are needed because of the grave and real risk that hardware or software vulnerabilities may be introduced by some entity during the manufacturing process, and inadequacy of current fabrication standards. Such introduction, if performed in critical fabrications phases, cannot be ascertained afterwards. “Trust cannot be added to integrated circuits after fabrication” said the US Defense Science Board already in 2005. At first, it would appear that building a chip manufacturing plant would be the best way to provide the highest security of the chip manufacturing process. However, at a cost of 200M€, for very old technology, to 4bn€, for the latest, such costs are not only prohibitive but of very little use since, even though such plant may be located in the same nation where the TRUSTLESS service is offered, the problem of verifying and overseeing the process remains almost completely intact. Therefore, even if there was a budget of over 100M€ available to ensure hardware security, the best way to spend such budget would be in oversight procedures and technologies rather than manufacturing, provided that the necessary foundry access is granted.
How it works. Follows possible solution, for the sake of validating its feasibility. The actual solution will be developed during the project. CivicSite will deploy general concepts reportedly applied by NSA Trusted Access/Foundry Program today in cases in which they require the highest-level fabrication oversight assurance. They reportedly choose a foundry that fits the equipment and general oversight process specifications – located, if not in the US, in a country that overall provide more assurance than others – which will agree to:
- (1) Make sure that the requested hardware is all produced in one continuous batch in a short time span (a few days or weeks), as is typical anyway;
- (2) Allow, for each batch, to setup and configure an extensive sensing, and monitoring infrastructure – often made by specialized proprietary companies – and allow about 3 (or more) competent, trained, redundant and trusted technicians, per shift, to verify thoroughly the entire process, 24/7 and on-site, from the monitoring room and inside the cleanroom.
In addition to that, the CivicSite will:
- (A) Add at minimum number “userwitnesses”, made up of 5 (or more) randomly-sampled TRUSTLESS users and 4 (or more) user-elected TRUSTLESS users, in a role of active oversight witnesses 24/7. They would be well paid to take that time off, would be extensively trained and “selftrained” through open participatory processes;
- (B) Choose to produce critical ICs (such as CPU, SoC, memory, etc) at EU-based 200-300mm EAL5+ foundries with older technologies, simpler processes, and less third-party IP obstacles than today’s’ Asian megafabs, that allow the technicians and witnesses to publicly and completely document the process with videos, photos and more. One such foundry, Lfoundry, has already agreed to the access and transparency terms outlined here, as participant of a previous H2020 FETOpen proposal.
- (C) Equipment and sensors, to be applied to the chosen foundries, should as much as possible not require direct interventions or disruption of the foundry equipment and facilities, but just rely on setting up an additional overlay of sensing equipment, and on getting copy of the existing quality control sensor feeds. This would also increase the “portability” of the CivicSite processes to other foundries, and in part the resiliency of the solution.
- (D) Sensing and oversight equipment will as much as possible be airgapped, make use of high-assurance verifiable systems, and where possible based on TRUSTLESS SW&HW.
Mitigation of the risk of malevolent use caused by technical designs being made publicly available for transparent review
Large non-EU non-NATO non-allied countries already have all the capabilities to build systems to the TRUSTLESS trustworthiness levels, and could make it available to terrorists. The public verifiability of the source designs of every critical SW & HW prescribed by TRUSTLESS Paradigms for all critical components could appear to potentially enable malevolent actors to fabricate their own devices for malevolent use beyond the capability of interception by even the most power intelligence. Nonetheless, we carefully concocted preliminary definition of safeguards to sufficiently and radically mitigate such threat.
In fact, smaller potentially malevolent states or group, by contrast, in order to achieve and sustain the TRUSTLESS levels of assurance, using the results of the project, would need to have a extreme control of a suitable semiconductor foundry, because, as US Defense Science Board said already back in 2005 “Trust cannot be added to integrated circuits after fabrication”. The dramatic increase in the complexity of critical HW fabrication and design processes makes avoiding the insertion of an undetectable critical vulnerability throughout the supply chain and lifecycle an easy task for Western intelligence services. Furthermore, even a small foundry, by current global standards, is a very complex operation with over 1000 staff and typically 800 or more discrete fabrication processes over several weeks, including dozens of critical ones where a critical error or malicious alteration modification, can not be detected afterwards. Provisions in the design will be set in the HW/SW architecture to ensure that TRUSTLESS/CivicIT endpoint devices cannot be produced in smaller prototyping labs, mainly through the use of IP cores tied to specific, capital intensive fabrication processes, naturally not available on mini scale prototyping fabrication facilities and foundries.
In the rare case in which the criminal or enemy group or state-agency might attempt to enter into agreements with suitable foundries to build such systems, state intelligence can easily make sure to either prevent it or, better yet, insert vulnerabilities in their fabrication or design processes to acquire in the future extremely valuable intelligence.
To the extent that the above mentioned safeguards may prove to be insufficient to adequately prevent such risk, the project will explore the possibility that a subset of the hardware designs – as opposed to all other critical technical components – may not be made public, but subject to multiple redundant verifications which involve direct oversight processes involving both random sampled citizens and elected officials, under suitably controlled environments.