A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components

The semiconductor industry is fully globalized and integrated circuits (ICs) are commonly defined, designed and fabricated in different premises across the world. This reduces production costs, but also exposes ICs to supply chain attacks, where insiders introduce malicious circuitry into the final products. Additionally, despite extensive post-fabrication testing, it is not uncommon for ICs with subtle fabrication errors to make it into production systems. While many systems may be able to tolerate a few byzantine components, this is not the case for cryptographic hardware, storing and computing on confidential data. For this reason, many error and backdoor detection techniques have been proposed over the years. So far all attempts have been either quickly circumvented, or come with unrealistically high manufacturing costs and complexity. This paper proposes Myst, a practical high-assurance architecture, that uses commercial off-the-shelf (COTS) hardware, and provides strong security guarantees, even in the presence of multiple malicious or faulty components. The key idea is to combine protective-redundancy with modern threshold cryptographic techniques to build a system tolerant to hardware trojans and errors. To evaluate our design, we build a Hardware Security Module that provides the highest level of assurance possible with COTS components. Specifically, we employ more than a hundred COTS secure crypto-coprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added

Payload missions integration

Payload mission integration is summarized. Activities and achievements for Spacelab OSTA and OSS are discussed

Initial flight qualification and operational maintenance of X-29A flight software

A discussion is presented of some significant aspects of the initial flight qualification and operational maintenance of the flight control system softward for the X-29A technology demonstrator. Flight qualification and maintenance of complex, embedded flight control system software poses unique problems. The X-29A technology demonstrator aircraft has a digital flight control system which incorporates functions generally considered too complex for analog systems. Organizational responsibilities, software assurance issues, tools, and facilities are discussed

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

Assessment of the NASA Flight Assurance Review Program

The NASA flight assurance review program to develop minimum standard guidelines for flight assurance reviews was assessed. Documents from NASA centers and NASA headquarters to determine current design review practices and procedures were evaluated. Six reviews were identified for the recommended minimum. The practices and procedures used at the different centers to incorporate the most effective ones into the minimum standard review guidelines were analyzed and guidelines for procedures, personnel and responsibilies, review items/data checklist, and feedback and closeout were defined. The six recommended reviews and the minimum standards guidelines developed for flight assurance reviews are presented. Observations and conclusions for further improving the NASA review and quality assurance process are outlined

Assessing the Risk due to Software Faults: Estimates of Failure Rate versus Evidence of Perfection.

In the debate over the assessment of software reliability (or safety), as applied to critical software, two extreme positions can be discerned: the ‘statistical’ position, which requires that the claims of reliability be supported by statistical inference from realistic testing or operation, and the ‘perfectionist’ position, which requires convincing indications that the software is free from defects. These two positions naturally lead to requiring different kinds of supporting evidence, and actually to stating the dependability requirements in different ways, not allowing any direct comparison. There is often confusion about the relationship between statements about software failure rates and about software correctness, and about which evidence can support either kind of statement. This note clarifies the meaning of the two kinds of statement and how they relate to the probability of failure-free operation, and discusses their practical merits, especially for high required reliability or safety

Hubble Space Telescope: SRM/QA observations and lessons learned

The Hubble Space Telescope (HST) Optical Systems Board of Investigation was established on July 2, 1990 to review, analyze, and evaluate the facts and circumstances regarding the manufacture, development, and testing of the HST Optical Telescope Assembly (OTA). Specifically, the board was tasked to ascertain what caused the spherical aberration and how it escaped notice until on-orbit operation. The error that caused the on-orbit spherical aberration in the primary mirror was traced to the assembly process of the Reflective Null Corrector, one of the three Null Correctors developed as special test equipment (STE) to measure and test the primary mirror. Therefore, the safety, reliability, maintainability, and quality assurance (SRM&QA) investigation covers the events and the overall product assurance environment during the manufacturing phase of the primary mirror and Null Correctors (from 1978 through 1981). The SRM&QA issues that were identified during the HST investigation are summarized. The crucial product assurance requirements (including nonconformance processing) for the HST are examined. The history of Quality Assurance (QA) practices at Perkin-Elmer (P-E) for the period under investigation are reviewed. The importance of the information management function is discussed relative to data retention/control issues. Metrology and other critical technical issues also are discussed. The SRM&QA lessons learned from the investigation are presented along with specific recommendations. Appendix A provides the MSFC SRM&QA report. Appendix B provides supplemental reference materials. Appendix C presents the findings of the independent optical consultants, Optical Research Associates (ORA). Appendix D provides further details of the fault-tree analysis portion of the investigation process