Nanofactory Security Design
From Wise Nano
Here, we describe a series of recommendations for the design of technical protection measures to be built into consumer nanofactories to control the kinds of products they can fabricate.
CRN's Possible Technical Restrictions document serves as a good starting point for developing technical protection measures.
Contents |
Why to Restrict Nanofactories
There are several distinct motivations for restricting the output of a nanofactory.
- Security enforcement
- Intellectual Property enforcement
- Regional production restrictions
TPM for security and for intellectual property enforcement (and other goals) should be separate, so that circumventions of one TPM do not circumvent the others. Intellectual property pirates should not need to compromise the security protection measures in order to get their "free ride". Otherwise, the much larger community of IP pirates will be forced to become terrorists, as well. While this distinction might sound favorable the IP advocates, a compartmentalized design would be overall safer. Like Trusted Computing, Trusted Manufacturing WILL be cracked, and it is critical that the security design have an equal, if not greater, focus on mitigating the damage circumventions can cause as it does on preventing circumvention.
Trusted Computing for Nanofactories
The Trusted Computing Group publishes technical specifications that are being implemented by computer hardware manufacturers to enable applications a that require a level of trust between interoperating parties with regard to the computing environment. Without hardware support, these applications would not be possible. It is conceivable to implement a similar system within a nanofactory, whereby only approved designs (or classes of designs) can be produced by a consumer nanofactory. Such designs would be cryptographically signed by an appropriate authority (or a sufficient number of recognized authorities - see Distributed Design Authority, below)
Distributed Security Certification Authority
With any centralized authority, there is the posibility of corruption. Requiring that consumer nanofacotry designs be signed by just a single key creates a single point of failure, both technically, and politically. Corrupt officials may be persuaded, coerced, or duped into approving a dangerous design. A dedicated and well-resourced attacker may also compromise a single key, leaving an entire line of factories with the ability to create any product with the counterfeit signature.
Some jurisdictions may also prefer to impose additional restrictions on consumer nanofactories, over and above security and intellectual property enforcement. Each region would need to create and administer their own certification authorities.
Recent work on distributed reputation systems, such as Credence, shows promise that it may be possible to establish lawful certification authorities on various regional scales of legal jusridiction by implementing the democratic process directly into the nanofactory's design.
(describe how a system like this could work)
(StumbleUpon, Amazon - similar reputation techniques, but centralized)
Trusted GPS
Is it possible to create a spoof-proof geolocation system? If so, nanofactories could identify which jurisdictions they were operating within, and adjust their restrictions accordingly.
Holographic Product Signatures
Among the most frightening threats of nanotechnology is the ability to microscopic machines capable of committing crimes that allow their perpetrators an increased anonymity, insuring that they will never be caught and brought to account for their actions. In order to counter this trend, forensics must be able to keep up. To counter increased anonymity, we require increased accountability.
One way to implement such accountability is to infuse every block of the product with a cryptographically signed (and possibly encrypted) tag indicating details of its fabrication that would be relevant to a criminal investigation - date, time, registered owner, fabrication location, etc.
This may even include the complete design specifications of the device itself, so that the entire product could be identified and reconstructed should any part of it be destroyed (This would be handy for recycler/fabricator hybrids to "fix" broken products, as well - see below). Having each tiny bock of a product stamped with its complete design spec resembles the way each portion of a hologram, when broken in pieces, can still project the entire image recorded on it, albeit at a lesser intensity. Thus the term "holographic product signature".
Recycling and Destruction of Evidence
When it's just as cheap to make computers as it is to make garbage, even the most valuable and useful things tend to become garbage. When your PC breaks, it's easier to throw it out and fab a new one than the try to fix it. For this reason, it is going to be essential that a companion technology be available that can break down and recycle materials from nanufactured products. Otherwise, our output of garbage is going to explode along with our ability to manufacture products.
The security problem with a universal destructor is that criminals like to destroy physical evidence of their crimes. Making the ultimate paper shredder ubiquitous makes this practice that much easier.
One way to combat this problem is to require recyclers to publish their activity logs to appropriate authorities (or to everyone), possibly including types, quantities, and configurations of materials disposed of. If holographic product signatures are implemented, these might be scanned, recgnized, and published by the recyclers as well.
Public Factories
This is not a technical design consideration, but worthy of mention.
Circumventing the technical protection measures on nanofactories (as well as misuse of recyclers) would require a certain level of privacy. While efforts have been described to make the operation of nanofactories a published event through the use of Internet connections, the most obvious step to make a nanofactory's operation public record is to actually require that the fabs themselves be installed in public spaces, and monitored with video and audio surveillance (and sousveillance) in the same way stores are today. Safeguards against removing the machines from the surveillance zone would be straightforward, given super-strong materials. Circumventing the surveillance mechanisms could be made difficult with redundant surveillance (multiple, cheap cameras throughout the zone), making a sophisticated information attack necessary to substitute "spoofed" video feeds, as well (simply disabling the surveillance is easily detectable).
The idea is to turn fabs into buildings, so as to make stealing one for study a trivially detectable and absurd endeavor.
Since fabs would be as easy to replace as they would be to repair, there is no need to maintain or repair a failing fab. Thus, there would be no need to service it. This would eliminate the possiblity of an attacker posing as an "authorized fab technician". Furthermore, fabrication units could be so well removed from users, underground, or buried within the structure itself, that all the machinery accessible to humans amounts to nothing more than a delivery mechanism. Products could be stored automatically in lockers that would only be opened for the person who ordered the product.
(This kind of disposability would benefit things like voting machines, as well).
When production becomes a public act rather than a private one, it becomes accountable.
DRM is Bad Security
Originally at: http://n8o.r30.net/doku.php/blog:drmisbadsecurity
DRM is as bad an idea for molecular manufacturing as it is for preventing piracy.
DRM is spun as “Digital Rights Managementâ€. It’s counter-spun as “Digital Restrictions Managementâ€. The latter is a more accurate description, because the essence of what it does is to restrict the user from using it in ways that it is already capable of being used.
When we purchase a mobile phone, we don’t resent the fact that it can’t play DVDs at full resolution; it just isn’t capable of doing that. What we resent is that our Xbox has all the power and components necessary to run a web server - but Microsoft won’t allow us to boot GNU/Linux on it, and we can be charged with a felony for trying.
But the resentment of users isn’t the main reason for eschewing DRM as a security mechanism for molecular manufacturing systems. The real reason is that it just doesn’t work. Piracy of software, music, books, and movies never really hurt anyone; but we cannot afford to be so cavalier when every house in the world can have a bomb factory in it.
The molecular manufacturing systems we own will be far safer if, like the mobile phone mentioned above, they simply lack the ability to be put to specific dangerous uses than if those uses are arbitrarily restricted in hindsight by “technological protection measures†tacked onto the system after the more powerful product design is finalized. This is a perfect example of the sound security principle that security must be designed in, not bolted on as an afterthought. If you isolate the operation of the system’s restrictions architecture into a modular section of the system, you make it that much easier to separate the system from its security, breaking it. A DRM-governed system will greatly magnify an attacker’s power when they succeed; a system robust enough to remain safe without DRM will not.
Some have argued that molecular manufacturing capabilities will permit better DRM systems. While this might be true, we should remember that along with the potential increase in DRM’s efficacy, we also have a corresponding change in the threat model. A DRM-encumbered MM system is just begging to be broken, not just by amateur hackers, but by foreign governments and corporations, which will have far greater resources at their disposal. Even if such DRM could stump Joe in his garage - could it stop North Korea? By contrast, properly designed DRM-free MM systems would pose no such danger from analysis by national and industrial competitors. And if such systems are safer for us for these reasons, they are also safer for them, as well.
Thanks to Chris Phoenix at CRN for helping me refine these thoughts.
