



In recent years, cyber security has been at the forefront. The headlines for a particular day reflect the ongoing threat of hackers, nation-state attackers, and organized crime exploiting computer vulnerabilities that could provide economic or strategic benefits. For example, by attacking oil pipelines with ransomware, more than 45 million Americans have to endure concerns about gasoline shortages and rising prices. This is not only an attack on infrastructure, but also an attack on Americans’ peace of mind and freedom of movement.

To enable AISS to address four key areas of silicon security, it was necessary to create a cloud environment. Cloud platforms need to support hundreds of virtual machines and associated storage in order to run AISS experiments in parallel quickly. Running the experiment is where Google Cloud Platform (GCP) comes in. With GCP, you can run 50 experiments, aggregate, and provide users with recommendations for the security configuration that best fits your constraints.

Warren Savage | Visiting Researcher at ARLIS

The freedom of democrats has always demanded that the government provide vigilant defenses. People who were not ready to defend their freedom were often vulnerable to threats. And now, cybersecurity threats extend to the silicon chip level. For example, the 2016 DDoS attack by the Mirai botnet was carried out by a hacked IoT device. This device consists mostly of microchips that execute embedded code.

To combat cyber threats to computer chips, the Defense Advanced Research Projects Agency (DARPA), a US Department of Defense agency, has awarded the University Research Center (UARC), the Institute for Information Security Applications (ARLIS). The University of Maryland has a four-year contract to independently validate and validate the technology for developing secure microchips as part of the Automatic Implementation of Secure Silicon Programs (AISS). AISS aims to combat four categories of microchip cybersecurity issues.

Side-channel attack (where hackers eavesdrop on chip communications) Reverse engineering (to steal chip intellectual property) Malicious hardware (chip leaks secrets or stops functioning) Supply chain attack (counterfeit) Create parts or-mark defective chips and resell them to the supply chain)

To thwart these cyber threats, the AISS program is secure by allowing government contractors, state research universities (University of Florida, Texas A & M, etc.), and private sectors to specify security constraints for chip design. Enables the development of various silicon. Instead of requiring hundreds of experts working on silicon security, AISS automates the process by presenting chip designers with a set of virtual knobs that can be tailored to the needs of the final application.

Warren Savage, a visiting researcher at ARLIS, says that chip designers know what an application is. For example, suppose you are creating an IP router chip. Or maybe you’re designing something simpler, like a smart sprinkler that tells you when it’s raining and if your yard is wet. In the first case, sensitive data moves over the network, which requires a high degree of security, but because the router is connected, power is not an issue. For sprinklers, the value of moisture information to hackers is low, which can make your data less secure. There is a risk that the chip design will be stolen.

AISS allows designers to constrain chips based on security, power, timing, and cost. Based on these constraints, AISS runs dozens of experiments to determine the optimal chip design and, as an example, presents the three best candidates for the application.

Business challenges

In a sense, chip design hasn’t changed much since the 1990s. Next, the chip was designed on a computer workstation. However, not all AISS experiments can be performed in a timely manner on on-premises workstations. To enable AISS to address four key areas of silicon security, it needed to create a cloud environment, Savage said. Cloud platforms need to support hundreds of virtual machines and associated storage in order to run AISS experiments in parallel quickly.

Nevertheless, the process of chip design and chip design tools is still very traditional (eg, on-premises computing farms), and this fact required a cloud architecture that mimics the traditional semiconductor design environment as closely as possible. .. AISS needed to provide an on-premises look and feel, but it had to run in the cloud to provide the computing resources it needed and to support a large group of researchers around the world.

The AISS program collaborates with 15 major government agencies, public research universities, and Fortune 500 companies, creating the unique challenge of developing a cloud computing architecture that meets the operational requirements of all these organizations. Everyone needs access to the cloud environment and the freedom to collaborate, but at the same time, you can rest assured that your intellectual property (IP) and other proprietary knowledge is secure.

According to Savage, the ARLIS architecture (AISS cloud) appears to be a network of 15 on-premises environments. That way, Organization A can collaborate with Organization B, but it’s still secure so it’s confidential and can collaborate wherever it’s needed.

According to Savage, the architectural concept was a simple part. From his point of view, the real challenge is to launch the entire platform, but in reality everything is running in the cloud, but it looks like an on-premises environment.

Solution

According to Savage, running the experiment is where Google Cloud Platform (GCP) comes in. With GCP, you can run 50 experiments, aggregate, and provide users with recommendations for the security configuration that best fits your constraints.

In Phase 2, SADA and Google Cloud will set up a Slurm scheduler to support AISS participants in high performance computing. Think of this as a virtual enclosure for a virtual machine. Make 100 Google Computing Engines available to users. Then if an AISS user wants to run 50 experiments, he will send all 50 experiments to GCP and Slurm will schedule all those jobs.

After deciding on GCP, Savage concluded that external assistance was needed to deploy AISS to the cloud. As a longtime technical expert in the semiconductor industry, Savage often hires IT specialists and has benefited from the environment they set up. However, he felt that AISS-scale projects needed cloud computing experts.

After creating the cloud architecture specifications needed for AISS, I felt very strongly that I had to hire a consultant to handle the actual implementation, Savage said. I wasn’t entirely sure my team and I could handle this on our own. That’s when Google Cloud introduced me to SADA.

In Phase 1 of the AISS project, SADA helped participating organizations launch 15 private subnets to carry out their work. SADA also sets up login server access to shared application services such as EDA tools and source code control repositories. To ensure the security of all participants, only uploads to AISS were enabled, not downloads. According to that requirement, SADA implemented Virtual Desktop Infrastructure (VDI). This allows researchers to work on their own in the AISS cloud without having to store the data on their local machine.

VDI allows you to enter the AISS cloud environment, but only allows users to upload, Savage said. The technologies that involve participating research institutes are worth millions of dollars, and we don’t want the very valuable ones to leak out. Locking down AISS allows anyone on the project to work with technology, knowing that it can’t escape.

result

As a result of the collaboration between ARLIS and SADA and GCP, approximately 100 researchers from 15 different government agencies, public universities, and private companies have been successfully deployed on the AISS platform. They represent researchers of all classes, from academic research scientists to skilled chip designers. Together, they are beginning to work together to bring AISS to life.

In Phase 2, SADA and Google Cloud will set up a Slurm scheduler to support AISS participants in high performance computing. Think of this as a virtual enclosure for a virtual machine. We plan to make 100 Google computing engines available to users, Savage said. Then if an AISS user wants to run 50 experiments, he will send all 50 experiments to GCP and Slurm will schedule all those jobs.

Google Cloud Compute Engine also allows AISS researchers to take seriously four categories of silicon cyber threats, especially supply chain attacks.

As AISS moves to Phase 2, the impact on national security and the security of semiconductor supply chains will become more apparent, Savage said. AISS can have a significant impact on how computer chips are protected for US consumers by preventing or significantly reducing device hacking. And as we’ve seen recently, hacking at the silicon level, whether it’s our personal cell phone, an oil pipeline connected to the internet, or a smart grid, is a real thing we all have to deal with. Brings the threat of.

In summary, ARLIS had the following benefits of using SADA and Google Cloud:

Launched 15 Individual Interconnected GCP Projects with On-Premises Look and Feel Successful Onboarding of Over 100 Silicon Security Researchers Across 15 Prominent Public and Private Organizations Phase 2 of AISS Project Lay the foundation for high performance computing in

Public release approved: Unlimited distribution.

