TCCB Fab

TCCB Fab is a standardization requirement for the oversight of foundry processes of sensitive integrated circuit components. It is an integral part of the Trustless Computing Paradigms that summarize the binding requirements for Trustless Computing systems to be certified by the Trustless Computing Certification Body.

Under TCCB Fab, the fabrication and design phases of all critical TCCB-complaint IT hardware components will be subject to oversight processes, that aims to substantially exceed in end-user-assurance those of even Common Criteria EAL5-7 Site Certifications and NSA Trusted Foundry Program, at substantially lower costs.

Under TCCB Fab, the oversight processes for a few critical foundry phases which cannot economically be reliably verified ex-post will involve extreme safeguards, will be (a) managed through state-of-the-art technologies and processes; (b) utilize as much as possible TCCB-compliant systems; and (c) include in- person oversight of 5 randomly-sampled trained citizen-witnesses and 2 trained technicians 

Why?

trustless_deck_civicfab.jpg
  1. “Trust Cannot be added to integrated circuits after fabrication” - US Defence Science Board (2015)

  2. “From what we’ve learned, we should assume all mainstream CPUs to be compromised” - Bruce Schneier (2014)

  3. “Among EU member states, it’s hilarious: they claim digital sovereignty but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities.” - Michael Sieber (2015), former Head of Information Superiority of the European Defence Agency, at during the 1st Edition of the Free and Safe in Cyberspace in Brussels.

  4. Even the best commercial or military but known standards and certifications for the oversight of chip fabrication processes are far from sufficiently mitigating the risk that advanced attackers can compromise the process to insert critical vulnerabilities.

How it works

The TCCB Fab process will deploy general concepts reportedly applied by NSA Trusted Foundry Program today in cases in which they require the highest-level fabrication oversight assurance. They reportedly choose a foundry that fits the equipment and general oversight process specifications – located, if not in the US, in a country that overall provides more assurance than others – which will agree to:

  • Make sure that the requested hardware is all produced in one continuous batch in a short time span (a few days or weeks), as is typical anyway;

  • Allow, for each batch, to set up and configure extensive sensing, and monitoring infrastructure – often made by specialized proprietary companies – and allow about 3 (or more) competent, trained, redundant, and trusted technicians, per shift, to verify thoroughly the entire process, 24/7 and on-site, from the monitoring room and inside the cleanroom.

In addition to that, the TCCB Fab will:

  • Add a minimum number “user ­witnesses”, made up of 5 (or more) randomly-­sampled TC users and 4 (or more) user-­elected TC users, in the role of active oversight witnesses 24/7. They would be well paid to take that time off, would be extensively trained and “self­ trained” through open participatory processes;

  • Choose to produce critical ICs (such as CPU, SoC, memory, etc) at EU­-based 200-­300mm EAL5+ foundries with older technologies, simpler processes, and less third­-party IP obstacles than today's Asian mega­fabs, that allow the technicians and witnesses to publicly and completely document the process with videos, photos and more.

  • Equipment and sensors, to be applied to the chosen foundries, should as much as possible not require direct interventions or disruption of the foundry equipment and facilities, but just rely on setting up an additional overlay of sensing equipment, and on getting a copy of the existing quality control sensor feeds. This would also increase the “portability” of the TCCB Fab processes to other foundries and in part the resiliency of the solution.

  • Sensing and oversight equipment will as much as possible be air­gapped, make use of high-­assurance verifiable systems, and where possible based on Trustless Computing SW&HW.

Why is the TCCB Fab needed and cost-effective?

TCCB Fab processes are needed because of the grave and real risk that hardware or software vulnerabilities may be introduced by some entity during the manufacturing process, and the inadequacy of current fabrication standards. Such introduction, if performed in critical fabrications phases, cannot be ascertained afterward. “Trust cannot be added to integrated circuits after fabrication” wrote the US Defense Science Board already in 2005.

At first, it would appear that building a chip manufacturing plant would be the best way to provide the highest security of the chip manufacturing process. However, at a cost of 200M€, for very old technology, to 4bn€, for the latest, such costs are not only prohibitive but of very little use since, even though such plant may be located in the same nation where the Trustless Computing service is offered, the problem of verifying and overseeing the process remains almost completely intact.

Therefore, even if there was a budget of over 100M€ available to ensure hardware security, the best way to spend such budget would be on oversight procedures and technologies rather than manufacturing, provided that the necessary foundry access is granted.

Mitigation of the risk of malevolent use, caused by HW technical designs being made publicly available for transparent review.

Large non-EU non-NATO non-allied countries already have all the capabilities to build systems to the TCCB trustworthiness levels, and could make it available to terrorists. The public verifiability of the source designs of every critical SW & HW prescribed by Trustless Computing Paradigms for all critical components could appear to potentially enable malevolent actors to fabricate their own devices for malevolent use beyond the capability of interception by even the most powerful intelligence. Nonetheless, we carefully concocted a preliminary definition of safeguards to sufficiently and radically mitigate such a threat.

In fact, smaller potentially malevolent states or group, by contrast, in order to achieve and sustain the Trustless Computing levels of assurance, using the results of the project, would need to have extreme control of a suitable semiconductor foundry, because, as US Defense Science Board said already back in 2005 “Trust cannot be added to integrated circuits after fabrication”. The dramatic increase in the complexity of critical HW fabrication and design processes makes avoiding the insertion of an undetectable critical vulnerability throughout the supply chain and lifecycle an easy task for Western intelligence services.

Furthermore, even a small foundry, by current global standards, is a very complex operation with over 1000 staff and typically 800 or more discrete fabrication processes over several weeks, including dozens of critical ones where a critical error or malicious alteration modification, can not be detected afterward. Provisions in the design will be set in the HW/SW architecture to ensure that Trustless Computing endpoint devices cannot be produced in smaller prototyping labs, mainly through the use of IP cores tied to specific, capital intensive fabrication processes, naturally not available on mini scale prototyping fabrication facilities and foundries.

In the rare case in which the criminal or enemy group or state-agency might attempt to enter into agreements with suitable foundries to build such systems, state intelligence can easily make sure to either prevent it or, better yet, insert vulnerabilities in their fabrication or design processes to acquire in the future extremely valuable intelligence.

To the extent that the above-mentioned safeguards may prove to be insufficient to adequately prevent such risk, the project will explore the possibility that a subset of the hardware designs – as opposed to all other critical technical components – may not be made public, but subject to multiple redundant verifications which involve direct oversight processes involving both randomly-sampled citizens and elected officials, under suitably controlled environments.

For more information about TCCB Fab, contact us at info@trustlesscomptuing.org