Tweet
For anyone who needs a refresher, Galois is a Portland based R&D Security Consulting company who gave a talk at last year's Defcon They'll be reappearing at this year's DefCon as Free & Fair, a spinoff building a voting machine/system that will be available for us to test. I wanted to get people thinking about it because the underlying architecture is going to be very different from what I expect most of you practice on.
Free & Fair is part of a DARPA funded project to develop security at the hardware level. Techinically, it's part of a broader effort called the Electronics Resurgence Initiative, which is meant to 'spark the next wave of electronics innovation'. Basically, Moore's dying and Von Neumann's next. But, the point here is that the ERI just had their summit in Detroit a few weeks ago and the slides from the talks were posted publically on the agenda page here: http://www.eri-summit.com/agenda-2019
Secure Systems: Voting - Dr. Joseph Kiniry (PDF)
Future Technology: SSITH - Dr. Todd Austin (PDF)
Now that SSITH acronym is the disturbance in the force you should be concerned about. The basic voting machine setup that will be attending DefCon is pictured in the first presentation as well as a thorough explanation of the problem statement and premise of SSITH (System Security Integration through Hardware and Firmware, though where the F went, causa metri I guess). They have a basic ballot marking software running in a Linux environment hooked up to a normal looking printer and an accompanying custom ballot scanner. There may or may not be an accompanying backend tabulator server but they will all be running on the custom Morpheous RISC-V architecture described in the second slides. The goal of the architecture is to adaptively prevent undefined semantic attacks, in theory becoming better as it successfully defends against them by frequently churning memory with some overal performance loss.
So what do you think? I'm a hardware design guy and this will be my first Defcon so I'm can't judge how difficult this will be for anyone but I know there aren't many RISC-V chips out there that aren't on development boards so I figure the experience/tool chain for it all is fairly nascent. To wrap it up, here are links to Galoi's and Free & Fair's Github repos if you are interested in pursuing this more and look forware to seeing you all in Vegas.
https://github.com/GaloisInc
https://github.com/FreeAndFair
Free & Fair is part of a DARPA funded project to develop security at the hardware level. Techinically, it's part of a broader effort called the Electronics Resurgence Initiative, which is meant to 'spark the next wave of electronics innovation'. Basically, Moore's dying and Von Neumann's next. But, the point here is that the ERI just had their summit in Detroit a few weeks ago and the slides from the talks were posted publically on the agenda page here: http://www.eri-summit.com/agenda-2019
Secure Systems: Voting - Dr. Joseph Kiniry (PDF)
Future Technology: SSITH - Dr. Todd Austin (PDF)
Now that SSITH acronym is the disturbance in the force you should be concerned about. The basic voting machine setup that will be attending DefCon is pictured in the first presentation as well as a thorough explanation of the problem statement and premise of SSITH (System Security Integration through Hardware and Firmware, though where the F went, causa metri I guess). They have a basic ballot marking software running in a Linux environment hooked up to a normal looking printer and an accompanying custom ballot scanner. There may or may not be an accompanying backend tabulator server but they will all be running on the custom Morpheous RISC-V architecture described in the second slides. The goal of the architecture is to adaptively prevent undefined semantic attacks, in theory becoming better as it successfully defends against them by frequently churning memory with some overal performance loss.
So what do you think? I'm a hardware design guy and this will be my first Defcon so I'm can't judge how difficult this will be for anyone but I know there aren't many RISC-V chips out there that aren't on development boards so I figure the experience/tool chain for it all is fairly nascent. To wrap it up, here are links to Galoi's and Free & Fair's Github repos if you are interested in pursuing this more and look forware to seeing you all in Vegas.
https://github.com/GaloisInc
https://github.com/FreeAndFair
Comment