Joe FitzPatrick - The Luxury of Security

all right and also big round of applause to all of our sponsors we would not be able to do this at all if we didn't have the good sponsors that we do so Random Applause for all of them all right without further Ado we will move into keynote mode all right we've been extreme we've been extremely lucky uh this this week we've been extremely lucky this week uh to have uh Joe with us he's been hacking Hardware badges with us side by side at night in the hardware Labs we have a conference before this this three days at Cisco and he's been there helping out and and doing a bunch of cool stuff so if

anybody's interested in Hardware security attacking Hardware Joe's your man to talk to about it he's been at Major conferences like uh black hat so um I'd like to welcome Joe Fitzpatrick to the stage and talk about the luxury of security

[Music] I should be alive [Music] I should be allowed to think um hi I really like that song because it's all about um you know speaking your mind talking about things so I'm up here to shoot my mouth off and think and glow up some posters about what I think about the luxury of security I've never done a keynote before um which hasn't stopped me from giving other people advice when they've given Keynotes and the advice I give them is usually it's a keynote so no matter what you say people will misinterpret it and construe it to be insightful and meaningful so hopefully you guys will will extend me that same courtesy um I was pretty excited to come here this

is uh my second maybe third time in Tennessee place I was staying was a little bit like rustic though I mean one of the walls was a vinyl tarp and it was pretty crowded but it was cheap it was only four dollars a night and the company was really good um this is up at Derek knob shelter on the Appalachian Trail my last time to Tennessee was 12 years ago when I threw hike the Appalachian Trail and got to visit the wonders of Gatlinburg and Irwin um so who am I and why am I here I'm electrical engineer you can notice the spelling that's really important because apparently in Oregon you need to be licensed to be an engineer and I don't

have a license so I'm just an engineer um I've spent about 10 years playing with Hardware professionally I did silicon debug I did security research um for Intel for eight years or well I worked at Intel for eight years part of which was security research and Pen testing of CPUs since then I focused on security training I teach classes uh physical attacks on embedded systems physical attacks and Hardware pen testings I also own a pair of white shoes that are full of LEDs you can't really make out the LEDs here but I was pretty excited to to get those and wear those uh recently um so first what was your first computer how many of

you your first computer had an LCD screen okay how many of you had your first computer didn't have a screen right okay how many of you your first computer on touch screen no one's raising their hand but there are these people around who were born recently who may have like woken up into the world where computers had touch screens I remember in the 90s I I realized one day like wow people born this decade have never played 2D video games like all the consoles are 3D like wow anyway um I'm going to start out with a little bit of history of computing progress and this is really important because um when we talk about security as a

luxury we need to look at like what what the Baseline is where did we come from why is what we have now uh so great or so limited so we go away way back anybody know who this is able to love list whoever who answered first because I have a mug for you where are you right there you go beside Knoxville mug okay Ada Lovelace it's kind of a little hard to see because the spotlight's on her but uh she worked with Charles Babbage and uh kind of invented a lot of stuff came up with the concept of programming language uh for a computer that was never built but the point is uh we started a long time ago thinking about

these things and it was a long time 100 years before we had actual computers um come with 40s we had um any act or you know any act um which this generation of computers were based on vacuum tubes they were switches uh they were ones and zeros that turned on and off you gave it input you got an output really when we think about this stage of computing they were glorified calculators right they didn't really run programs in the sense that we think of them now you wire them up to do the calculation you want you put input in and you've got an output out this is also long before we reach gender parity in programming

um because actually like it used to be the programmers were all women the computers was a person and then most of the people who were computers were women uh but anyway um onward to the 50s um we had some innovations that made computers change dramatically um this is seek um and what she's working on was actually called Haystack it was this this program that would go and search chemistry literature which would help people who are doing chemistry research to find references to things they were working on so like wow okay this is 70 years ago and we're already thinking about using computers to do stuff other than just math we're searching this is pretty great

um but there were still some really major limitations anybody know what this is anybody recognize these this is a Mercury delay line memory okay so we didn't have memory right on computers back in those days you had to get this big thing that was filled with Mercury and you had to have an electrical signal vibrate it and the vibration would travel through the Mercury very slowly because Mercury is a very thick liquid to the other end and I can't recall if it bounces back or the receivers on the other end it bounces back and some milliseconds later you get that same piece of data back okay well this is memory right we are putting information in and we're retrieving it

later the only problem is we have to retrieve it at exactly the right time or we don't get the right data back so you got to keep track of all that I don't know how they did that without like memory to store like the lookup table but whatever it's interesting when you think about it electrical propagation delay so that this used sound traveling or vibrations traveling through Mercury if we were talking about electrical right electric electricity runs really fast propagation delay is about uh one minute nanosecond for every six inches if you think about an HDMI 2 cable that's 18 gigabit per seconds of data going through that cable and that means you have 36 bits of data

per foot right inside your HDMI cable if you had 45 miles of HDMI cable you would theoretically have one megabyte of memory like think about this right it's strange obviously things didn't run at 18 gigabit per second back in the 50s what happened in the 50s though we also had another Innovation who knows what this is core memory I don't know where that came from but here's two no starch buttons let's see if I can get it up to the top people on the bottom cover your eyes oh next time okay so core memory we have these little pieces of metal that had wires running through them and if we WE Post the right wires in the right combination we could

change the polarity of these these blocks of metal and then we would read them and get our data back so this is a lot more efficient than having to sit there and wait for your Echoes to come back at the other end of a tube of Mercury it's also slightly less slightly more environmentally friendly I believe um so moving onward we come to the 60s we get to like the stage where computers become a bit more commercial we have an IBM system 360 which is kind of iconic in uh what you've got for computers of the era um you know what's also interesting is you know these computers this is the era when we started having integrated

circuits and transistors what happened first is instead oh and anybody who know who that is Grace Hopper I'm going to throw another button not necessarily to the person who said that but yeah I can't actually see anything and I can't throw either um but let's keep that secret don't tell anyone so this is a nor gate this is a nor gate on an integrated circuit and this is registered Transit sorry yeah resistor transistor logic right we're like okay we're gonna get one transistor put a bunch of resistors around it and we're going to make a nor gate so a nor gate is pretty basic like it's pretty simple it's two wires input one wire output and

you get some logic happening um this is one that was used in the Apollo program the Apollo program used RTL logic which was very quickly outdated with transistor transistor logic TTL logic because when you go to this level of integration right whether you make a resistor or you make a transistor it's the same when you had to build discrete components the transistors were expensive resistors were cheap so there's this trend that pops up when you once you integrate something into silicon suddenly it becomes free at least if you're a manufacturer of silicon um so we'll see that happen through time as we add more and more features to our computers um check that yeah another button who's

this yeah come on she wrote this is this is the code that ran the Apollo program Margaret Hamilton so um how many of you have printed out code like how many of you have finished a project and printed out the whole stack of source code to Archive it oh oh it's getting closer getting closer I made the first one up there dive for it don't fall over the railing um how many of you actually had have coded with a line printer okay so yeah sometimes the the output was not just the final output you actually were developing on a line printer or in your head um so this is uh the Apollo code from n169

I believe that the photo has probably taken in the 70s but what no I don't have another slide for the 60s um oh yeah we did we just finished the 60s uh sorry let me go back and forth oh I'm going the wrong direction don't don't don't peek ahead so 70s this was kind of like really cool who's whose first computer was in the 70s a couple people if I had been alive my first computer probably would have been in the 70s this was pretty cool this is where we had kits for computers this is where we had home computers for the first time everything before this was giant expensive stuff if you got a

chance to work on a computer you were at a school you were at a company you were in the government somewhere but now you can get an Altair uh you can get an Apple computer which you had to make your own box for um the Altair you actually put together yourself which really changed things and what changed this what made this possible is we suddenly had integrated circuits that were entire CPUs so this is the 4004 CPU this is a picture of it and you can see gates in this which is pretty crazy because this isn't very high resolution so you remember that nor gate we saw before imagine thousands of them all together and suddenly we have

something that does math and registers and all that stuff what's also really interesting is uh something I'm not remembering but whatever um so four thousand fourth eight thousand eight and then the 886 ended up inside the IBM PC so who owned an IBM PC okay yeah so 80s was the time where you could go to the store and buy a home computer and it would do great things like um you know very basic word processing and there was probably a program on there that showed off databases so you could store all your recipes who uses a database for their recipes right now where are you up there okay I'll throw it I'll hit someone else

oh no the pins are closed the sharp point isn't sticking out when I throw them so my own PC my own IBM computer imagine that um this is pretty cool where did I put my my remote here we go I'm powerless I thought my my remote um so this is the motherboard from an old IBM PC the original IBM PC there's a lot of chips on there right these are the days where if you want to upgrade your memory you actually bought memory chips instead of modules um you had some expansion slots um where is the 80 88 is this it I think that's it um the the actual CPU which kind of is funny because it doesn't really stand

out from anything else whereas if you look inside a PC Today the CPU is massive and everything else is just passives um by the end of the 80s the 486 was released and this is what a common motherboard looked like right you have a massive CPU you have lots of spots for expansion you have memory on modules right you have some other stuff in socketed ships but uh and you know usually some glue logic that puts it together that's all integrated into one chip right what we used to do with discrete chips that would have wires connecting them all together to do logic you can suddenly put into a single chip which is pretty awesome

um and that's what made computers smaller that would make them easier that would that's what made them so we had them at home and tried to do sketchy things like hook them up to phone lines and talk to our friends or talk to random strangers that we pretended were our friends um before years later we could actually friend them on social media um then we move on to like when history began you know so the 1990s was a big deal even though the 486 came out uh and the 3d6 and 46 hack came out in the 80s um not many operating systems actually used the features of it uh fully so does anybody know what what operating system

came out in 1995 that was pivotal and like changed the world anybody know what this is anybody version 1.0 was released in 1995 lytics Linux version 1.0 was reached uh badge interference I keep trying for the top so um so suddenly we have we have powerful operating systems that are doing things like using protected mode to isolate processes so is process isolation a security feature was it intended to be a security feature it's intended to be a way for us to isolate processes so if calculator crashes it doesn't also crash our word processor if Minesweeper crashes you know it doesn't also crash a solitaire right the purpose is is to prevent uh errant processes um uh poorly operating processes from

affecting each other at the time things like this were not designed to protect malicious processes from attacking other malicious processes so we had isolated memory regions we have task State structures that we can swap between different devices we can use our computers in very different ways than we used before but you know we still haven't really got security figured out and 90s in in my recollection seems to be like the time when when hacking got really interesting right instead of having to dial up to you know War dialing numbers to find like uh you know some government or corporate computer to go and grab things off of and play games like global thermonuclear war we could

get on the internet and you know find those same games sometimes things we had connectivity to other things we started to see this.com boom bubble bust whatever you want to call it start happening or we could do cool things like buy plane tickets online and buy dog food and buy more dog food and buy dog food at a loss um at a loss to the seller um so this is the Pentium micro architecture this is not the best diagram that I was able to find but the one I was able to find quickly um what was interesting about the Pentium is if you took two 486s and squashed them together you essentially got a Pentium right you had two separate

pipelines that are broken up here the U Pi plan and the y-pipeline so you could you could run an instruction and if the next instruction in memory was a certain category of instruction that didn't depend on the first one you could start that immediately right so you could do two things at once which is pretty crazy um by the end of the 90s we were dealing with a Pentium Pro Pentium 2 Pentium three era core which gets really wide and this is actually a Core 2 architecture which is uh only like five or eight years old but it's actually the same micro architecture underneath you have this like reorder buffer that puts all your instructions in a more optimal

order so no matter what the programmer was thinking no matter what that silly compiler was thinking you can actually like find more efficient these later on and you have several different pipelines to do all different instructions at the same time and then you shuffle them back into order at the end this is pretty crazy because like we're getting to the point where like performance is not limited by you your code your compiler you can have layers upon layers of ways where you increase the performance of the stuff that you're doing um and actually I already mentioned this we got address spaces so uh physical address versus virtual address basically we have a scenario where we have one

program that sees memory and we have a mechanism to prevent that programs from seeing certain spaces in memory like I said this is a functionality this is an enhancement from the beginning it wasn't necessarily considered a security feature like we would think of it today but over time it's gotten harder hardened pretty well we could prevent a bad process from messing up other somewhat properly behaving processes we move on to the naughties as I've heard them called outside the U.S because zero is not and I think that the naughties is a really good name um so I think in my recollection the most important thing that came out of the the naughties is virtualization right so we have virtualization

um that you can use in two different scenarios right instead of having to run your operating system on your PC um and run your you know malware on it to test it right you can virtualize it you can put it into a container and this is a hardware assisted container you can have a scenario where you have your host operating system and you throw in a couple guest operating systems you can also have a different layer where you have a virtual machine monitor that sits underneath everything and this might be your super trusted code and then you can run all your less trusted VMS on top of it um and again we have this scenario we have

Hardware protections we have Hardware assisted features we can suddenly do lots of stuff but again the reason we did this is not for security we did this because people wanted to run a mail server and a SQL server and a web server on one box and maybe move them around and not have to buy three separate servers um so we have these functional requirements that are still dictating the things we do and the security benefits tend to be additional um there's also another neat feature you know we actually got virtualization as consumers in the 90s we actually got operating systems and you know tools that supported it decently not great like they are not as great as they are

today but decently um we also got i o virtualization as well this is great out of one of Intel slides basically you think of normally you have your vmm your virtual machine Monitor and your virtual machines that sit on top of it if you want to do anything to Hardware you have to go through a layer of emulation or a layer of abstraction or a layer of like wrapper driver with an iommu you basically can assign device one to Virtual Machine one device two to Virtual Machine two and you can sit there and you can have one computer with three graphics cards and three guest operating systems each one of them is using native graphics cards drivers and

each graphics card thinks it's native to that operating system which is pretty crazy pretty cool and actually turns out to be a really neat security feature when you're dealing with dma attacks you can ask me about that later if you're curious about those um the downside is nobody actually used it for quite a while at least not in the naughties um where are we now the cloud that deserves a pin my throat cover your eyes I'm sorry should I stop doing this no okay so cloud computing Nirvana all your data anywhere anytime for anyone who can convince the computer that they're you this sounds pretty great um we're at the point where we have uh

mobile devices laptops and servers that are backing the cloud that have their own computation capabilities we have virtualization so you know 20 of us can share one server to do our back-end stuff or maybe our hash cracking or whatever it is that we do that requires computation or our Graphics rendering um and we don't have to sit there with our laptop that has all of that compute capability um yeah I like this um what the bleep is this bleep Brian Barbie asked while looking at the DVD he handed her have you ever heard of GitHub it's how we share code in 2014. damn it my laptop doesn't even have a DVD drive okay this is where we are right now

um and this is graciously stolen uh from Twitter uh from a modified version of the Barbie computer engineer book um the modified ones are so much better than the original um but yeah this is where we're at we have this mobile device this is our connection to the world um we put everything on it and we store stuff somewhere on shared resources that we can kind of trust that belong to just us so our needs for security change dramatically from the 80s when we didn't have anything connected to the 90s where we started throwing stuff on the internet because we could which we continue to do today uh to to the naughties where we start thinking about

this and adding features that help us manage it to now where who knows what's what where where it is who owns it what jurisdiction it is in and everything else so this is uh Macbook Pro 13 inch retina performance for like the past four years of models and what I notice when I see this is like the lowest end one is 25 something 2500 geekbench 3 single core score the fastest one is 33 200 right the point is there's not a lot of difference here we're going through generations and generations of products and I chose MacBooks because they kind of have a lot more homogeneity to their series and their progression than every other manufacturer

um in the world um but what is interesting is if we look over time this is uh from Hennessy and Patterson so it's slightly a couple years old we look at improvements in uh profit processor performance right back in the 70s we had 25 a year but between the 80s and early naughties we had 52 a year which is crazy increasing performance but now it's leveling out only 20 per year so you know there are some arguments that this is a physical constraint like we're no longer we don't have the uh technical capacity to push circuitry that far you know the whole Moore's Law is starting to die on the other hand we're in a weird situation where we

don't always need this performance right when it comes to our laptops like how many of you have a quad-core laptop how many of you have a dual core laptop how many of you aren't really sure how do you like really don't care right I mean there are rare scenarios where I think like oh I wish I had a quad core laptop so this compiling will happen in 30 seconds instead of 45. that's a very different concern be against like oh I should have bought a ladder bigger laptop with more RAM so that I could open two tabs in my web browser at once right so we talked a lot about history of computing let's kind of flip sides a

little bit more who here has studied economics okay amateur economics okay good that's kind of my actually that's beyond my level but uh who's heard of post-scarcity so we have like supply and demand curves and we say okay when Supply decreases right cost goes up when demand increases cost goes up these two things are plotted with curves and the intersection is like the market price okay when we talk about computation our supply our available supply of computation is going up and up and up and up and it used to be for 50 years that our demand followed it right um is it following anymore I'm not sure um and let's think a little bit more

about this so there's I have a couple quotes um the free development of individualities and hence not the reduction of necessary labor time so as to positive Surplus labor but rather to the general reduction of the necessary labor of society to a minimum which then corresponds to the artistic scientific Etc development of all the individuals in a time set free and the means created for all of them so basically the idea is we're going to get to the point where we have everything we need and we'll have the time to go and do the things we want to do you know pursue art science research fun security conferences beer brewing everything like that you know that's kind of communist talk

isn't it though right so uh I thought more relevant is and I took both of these from Wikipedia for all you other amateur economics people uh in the long run making programs free is a step towards a post-scarcity world where nobody will have to work very hard just to make a living people will be free to devote themselves to activities that are fun such as programming after spending the necessary 10 hours a week on required tasks such as legislation family counseling robot repair and asteroid prospecting there will be no need to be able to make a living from programming this is also interesting because it's a little more technical but perhaps you might also have the opinion Richard

stallman maybe this is more more communist speak whatever um it's interesting like it makes sense open source gives us the ability to leverage all the work everyone else has done so we don't have to do it over again like think of everything we have in this current like Tech you know startup culture whatever is going on you're building layers upon layers of software that are open source and you're throwing you know a fancy app on top and making millions of dollars it's a pretty neat field I wish I were doing that uh no actually I don't so back to post scarcity right so as our computation ability increases as our spare Cycles as our extra performance uh

exceeds what we need this is the point in time where we look for the next thing to do okay so another tangent how about psychology who's an amateur psychologist in here who pretends to be on the internet on internet forums maybe okay so who knows this thing Maslow's hierarchy of needs so did I make it no I didn't sorry I'm just going for the aisle so I don't poke eyes or anything out frisbee maybe we'll think I'll think about that so we have layers right at the core what we need we need physiological needs food Water Shelter warmth right once those are met that's the only point in time we can move on and go on to safety okay

well now that I can eat and I'm not worried about starving to death maybe it'd be nice to like not cower in fear of you know whatever's happening you know the the local fiefdom that's gonna you know take everything from me on top of that once you once you like have the the free mind actually like think about communicating with other people you have this need for belonging um when you belong to a community whether it is a you know local security Community whether it is a family whether it is a company that really loves you as long as you work for them um in their interest um you kind of move on to self-esteem

like achievement Mastery recognition of respect um this is pretty neat like you know suddenly you don't have to worry about food or safety or belonging or in certain cases you do but whatever but you get to the point where you you can concentrate on what your skills are what you're good at and what you need to do to make everything work and finally you know self-actual actualization maybe this is like the Pinnacle and yeah whatever and how many of you have seen this alteration to this yeah whatever so I don't know if Wi-Fi really belongs at the bottom like I would really choose food and beer over Wi-Fi who here would agree with that okay because I mean

when it comes down to a good conference right if you don't have Wi-Fi you're going to be forced to like belong to the group that you're around and talk to them and and drink beer with them and eat food so you know maybe Wi-Fi belongs somewhere up here um but another thing we should we should mention while we're on it like who who's got drink tickets left okay so remember like physiological that's Food Water Shelter warmth right and we've got to take care of that so when you've got a drink ticket right appropriate tipping belongs there right when you when you redeem your your drink ticket for your drink you know tip tip your bartender and that will help you

with the physiological level and it also means it'll help you with belonging and being loved and just being happy and maybe someday you'll reach self-actualization through tipping but back to the point um where do computers fit in this we mentioned Wi-Fi but like can we self-actualize without a computer can we self-actualize without an app that will self-actualize for us um I don't know because we're still new we're still new in this realm and maybe all the self-actualization that happened before computers was just imaginary and we're really onto something now um but I think we've got a hierarchy of computing needs right and we can see through the time through the timeline that we walked through that we're

building up capability we're building up capability until we get to the very top where we actually have the leeway the time and actually the need to worry about security so at the core functionality we wanted a machine that was tiering complete that was a big deal who who still like goes on the internet and argues about cisc versus risk because I mean that's kind of a dead argument who won yeah both I don't know neither um it doesn't matter no because we're at the point it doesn't matter um we have cool things like Hardware acceleration a floating point and we have Hardware acceleration of cryptographic processes and we have all sorts of neat stuff so our functionality

Foundation is actually really good right now doesn't mean we should trust it completely but it's pretty solid then we move on to Performance like okay we can do math but can we do math faster than a human could yeah um can we do math that's economical in terms of the space the computer takes up um how many rooms does it take up how much air conditioning does it need excuse me or um how much does it cost and how much can I fit in my pocket or how much how long will my battery last these are all really performance metrics in some way shape or form and again usability we started with line printers we got some keyboards and then

screens so we didn't have to waste all that paper command line interfaces that were interactive instead of just huge batch commands that we ran and came back a couple days later when our turn had come to run them mice that give us the ability to interact with guise and which those are finally replaced with you know touch screen interfaces and somewhere in there someone may have thought about user experience and maybe someone listened to them I hope that happens a lot more often these days but whatever I categorize that as usability when we've got computers that people start to use we need to think about the long-term effects of them can we trust them to do the job that we're buying

them and using them to do what's the mean time between failure we can't imagine that like these computers will never fail they will fail eventually but what do we do about that we have software exception handling we have Hardware exception handling um how many of you um trust the memory in your computer I mean to the most for the most part you do but how many of you have ECC memory in your computer that you use on a daily basis very few of you um this is really interesting to me because this seems like one of those things like you know we have a small bit of overhead like we all have like gigabytes more memory than

we need unless you're buying one of those 10 100 Windows tablets that only come with one gigabyte of memory but most of us have plenty of memory really the overhead of ECC is a small percentage and the reliability that comes out of that is amazing and also RAID storage redundant storage is all things that improve the reliability of our systems and lastly we've got connectivity I'm building these up in a ladder and there's definitely some interplay between the different layers but I think that these are the the order that Things become really important so we've got connectivity we can put these uh online be by talking to each other via modems we can go and use like an online service

uh through dial up we have um cable internet fiber internet Wi-Fi 4G all these things and we're getting to the point where we have high bandwidth low latency uh omnipresent everywhere connectivity which is really cool um and that's giving us the room to innovate in the realm of security right we have things like virtual memory which may or may not have started as a as a security feature but essentially it is at this point we have data execution prevention aslr uh virtualization we have systems that have Hardware random number generators right who would have thought such a simple thing put into the hardware would be so wonderful uh despite the fact that there are still

people who won't use a hardware random number generator because they can't trust it um so trade-offs uh we do have some security but we have trade-offs in every one of those things I'm not really sure what fits at the top of the the thing I left it empty spot because I don't think we're there yet we don't know what it is but it reminded me that like maybe there's like something maybe that's the cloud I don't know so here we are we've built up uh quite a bit of things we've got computers that work we've got computers that we enjoy using maybe and they do great things for us but it's still not perfect um what about different Industries right

I've been talking mostly about desktop and server PCS because that's really my personal experience and most of us that's what we work with on a daily basis but what about industrial Control Systems right they have a different set of requirements they need some core functionality and they need reliability right they don't care about usability I mean they kind of do but have you ever seen an interfa like a human machine interface on an ICS system yeah um performance doesn't really matter right and it really can't matter because when you install an industrial control system you're expecting it to to last for decades like 30 to 50 years in some cases so you don't want to chase the

performance that's coming out next year to make and Implement a system that's going to be in round for 50 years connectivity has come late in the game to that there's there's a big problem where people take these old systems and they say oh well I want to I want to control the water treatment plant from the internet so I'll just put uh VNC on here and well good and we'll plug it into the internet oh yeah so we're we're learning here but we haven't built the full stack in that realm so we aren't thinking in the mindset and we don't have the luxury of thinking in that mindset uh what about iot right what do you need to like have a

successful iot startup you need up to something actually I should probably cross out functionality you need to have a demo and it needs to be online right and if you've got those two things then you've got Venture capitalists all over you like oh wow we want to turn this we want we've got millions of dollars for you um but really like that's what it takes to make an iot device and these iot devices are small systems sometimes they're battery powered sometimes they're just Compact and they don't have the luxury of unlimited compute performance they don't have the luxury of spending an extra 50 cents to buy a CPU that has a hardware random number generator in them because you're they're

being sold for ten five twenty dollars and there is no margin right and no one cares about the hardware anyway because they're all selling the services that are tied to the cloud so what's going to happen is we're going to fill in the blanks here like I see iot and there's a lot of people who talk about like oh iot it's like going back to the 90s well it is right because we're in a realm that we're working on a platform that hasn't built up the layers that we have in mainstream Computing right now medical devices are a lot like um difficult um ICS system same same combination we need to have something that works and is

reliable because I would hate to have a lethal dose of insulin injected into me if I were wearing an insulin pump and these are interesting because usability comes up a lot more than it does with ICS right uh you have to be able to use it you have to have a normal person know how to use their their medical implant their metal device to make it work and I think we we have this mistake that iot sees that like oh use the means it's online um so again we'll get to the point where what we have now in iot devices might be like microcontrollers it might be microcontrollers with mask ROMs sometimes they're a little bit more

advanced and they have like full stack operating systems which increases complexity Without Really increasing reliability but at some point in time I believe we'll get to the point where we have the spare computation we have the spare time we have the powerful programming languages that means our developers have the time to worry about security as opposed to worrying about FCC or FCC FDA certification or something like that mobile devices we've all got one functionality usability and connectivity those are the great things about mobile devices if it wasn't usable no one would have them right the whole the whole change that I see in mobile devices once the once the iPhone came out and had a

touch screen right suddenly everybody wanted one because using a that stylus was just silly and you looked like a dork and we're all concerned about looking like dorks here right yeah um so uh surgery brought us often cites rights principle he says security does not improve until practical tools for exploration of the tax service are made available right it's not until we have the tools that we can go and attack uh Wi-Fi or net Ethernet or anything else or software with fuzzing tools that we can actually understand the attack surface and and what's possible on that um bratis's corollary it's not what he calls it but it's what I will a buster component that doesn't come with tools

for practical injection of crafted inputs and States should be considered insecure the longer it misses such tools the more so this makes sense if we're going to make a device if we're going to make a tool if we're going to make a protocol if we're going to make an interface we should have a plan for how we're going to attack it there's a dilemma though right there's what I consider a precursor to rights principle right an implementation of the attack surface must exist before the exploration tools can be considered both practical and complete right you can make an attack tool that attacks with theoretical Hardware against a theoretical interface based on the specification and that's great and

that's going to tell you a lot about the specification but that's not going to tell you anything about what's actually happening in the real world you have to wait till someone develops something produces it and then you can attack it this is a dilemma I encountered a lot when I was doing CPU validation right when you when you buy a CPU or a system with a CPU in it that CPU has been around for quite a while in validation it's being very intensively functionality checked but we also need to do some security checking on that which is great but my job as a hardware pen tester is to break it I need something that works in order to

break it don't I so there was always a really big lag between the time we got first silicon and the time we got an operating system booting to the time it got working properly and once it was working properly that was my turn to go and try and make it not work properly and the the sooner I tried to do that job the easier my job was but the less realistic it was right so um that kind of like is a series of things that really affects where we're going with this um onward so where are we going anybody have any ideas uh yeah everything's fine um that deserves a pin though what was that

yeah good good Dodge um who's heard of guard band so when you design an integrated circuit this is uh from an at Mega or 80 tiny uh data sheet and they say okay here's your safe operating range if you give me 1.5 1.8 volts then I can run up to four megahertz reliably if you give me 5.5 volts I can run up to 20 megahertz reliably and that's kind of what the manufacturer is promising you when they deliver you this part in reality the line looks more like this right it's a bumpy line somewhere hopefully on the outside of this safe area and that line is different for every single part they manufacture but what they do when they manufacture it is

they say okay well we we know we need to work here and we know that this is where the line is and over time this line is going to move in or out based on age degradation sun spots you know uh random things so like you have this guard band this this guard rail that you say okay even though we say we work here we're going to work up to here this is where overclocking lives if you were curious and yes you can overclock my controllers not just PCS but security really is guard band right we have have to be in a place where we have extra functionality we have extra time in both computation Cycles time as well as

developer time as in product development time to not only make something work but make it work right so that it can't be unworked by an attacker um and I'm getting close to the end of my stack of slides which is just right so looking at mobile devices this is a really interesting thing one because it's Hot Topic and everything and we look at performance of mobile devices and we this is just the past uh a few years starting from a few years ago from a baseline of really low all the way to uh big numbers whatever it's like zero a few hundred all the way up to over four thousand uh geekbench score points whatever they are what's really

interesting is this is changing over the course of five years and we have a lot of improvement do you remember the the big chart I showed you from Hennessy and Patterson where we had huge performance increases of 50 per year and then it leveled out well this doesn't look like leveling out to you does it what I see is I see that mobile devices are stuck uh not necessarily stuck in a in a bad way but but they're still living in that realm they're still taking the gains from that increased performance and they're still getting the advantages of that increased performance that they didn't have we have more capacity to put more stuff into mobile devices we have the ability

to make them more secure because we have that extra performance right who had um I believe was a Nexus 6 uh you could go and you could enable uh uh encryption of the entire root file system which is great but then when Google finally shipped they turned it off right why'd they do it performance the Nexus 5x the same way people got the Nexus 5x which is supposed to be a new replacement for the Nexus 5 and it was slower on most benchmarks because the encryption was turned on and people actually complained about this some people well I didn't complain I'm happy to have full full uh flash encryption on my phone but I need

this guard band to do it I need this extra capacity to do it I wouldn't have bothered using a phone in 2009 if it had the performance impact that full encryption would have had at that point in time um we got other changes that are happening this is from the FCC and the it's a little bit squashed because of the resolution of the display but basically this is from 2011 to 2014 2011 to 2014 um Broadband speeds um DSL cable fiber and satellite right so we can see like there's improvements here like we're still advancing in some of these Realms we may not be getting more Computing performance but we're getting more interconnectivity performance right the higher levels of

that pyramid are still improving mobile devices have not has as dramatic increase except this is a logarithmic chart so it doesn't look the same um where GPRS is displaced by Edge by UMTS hsdpa and now LTE gives us huge amounts of data per second that you know we'd be amazed to have on our home computers less than 20 years ago or even like five years ago um so what my conclusions come to is it's really interesting it doesn't seem like to me we care about security until two things happen right we learn that we don't have security or we come into a situation where we need it and number two we have the capacity to solve it

right we no one ever disagreed that full encryption was well that's not true lots of people disagree that full encryption was never necessary even outside of law enforcement um but um no one really thought it was a good idea a while ago it wasn't until we had the extra performance and capacity and access times of our memory our flash to actually solve that problem so we need both the awareness of the problem and the capacity to solve the problem for us to actually Advance Security so that's what I see with all these different devices that's what I see with embedded devices industrial control systems and iot devices they're just a little they're a few years behind us and in

time they'll catch up they're a few years behind desktop and server CPUs and in time they'll catch up they'll get the same capacity um who disagrees okay good um I've succeeded and get you thinking about that you deserve the car hackers handbook okay I'm not gonna throw it you can come up here and you know this is a conclusion this is not a law this is not a rule um and I hope that I can be convinced otherwise if we have a conversation about this um but what's true though is the the bugs of the 90s are alive in firmware right why because we don't have the same visibility we don't have the same access

to tools we don't have the same experience and performance that we do on other systems so even you know iot embedded mobile ICS cars um and even when you get down to the low levels of a PC like your bios right that's just firmware right but it's so low level we don't have the full capacity of a full PC so um we've been here before we've solved these problems before so I asked the beginning what was your first computer so who whose first computer was uh 70s or before and whose first computer was in the 80s or before and 90s or before and this the naughties or before um it's okay um uh and sometimes you think like oh

man like all those Old-Timers they have all like all their like cruft all their like experiences of how things used to be and they always whine about like oh we used to have to do this and then you know the other side you're like oh those newcomers they don't know what it's all about they don't know how hard it was to get here um in all reality like everything is at a different spot on the Spectrum and the problems that we might be solving right now in uh embedded devices are actually kind of the same problems we might have solved in the 80s and 90s with mainstream computers so someone who was there then might already

have these answers we don't have to invent them again um so hopefully you know you saying when your first computer was or abstaining if you did not want to kind of makes you think oh I should be talking to the people but have a different experience of computing because they're going to have a different perspective one really weird example of this who knows who's familiar with Rob return oriented programming right so this is a situation where you you don't have the ability to make executable codes so you just call bits and pieces of existing executable code do you know what they used to call that in the 80s and 70s efficient execution we don't have we don't have

memory to waste so why are we going to put this same half of a function in there again we'll just call it in the middle of it um you know all these problems are being encountered and found again so that is the end of my presentation thank you any questions

I don't think they'll just become solved problems I think that with time and effort we may be lucky enough to do the work to make them solved we will we have situations where we just don't have the capacity to solve the problems now I think in the near future we will have the capacity to solve these problems

I understand and I can appreciate that but what I see is that um we are not even there yet like we haven't solved those problems I don't know if we have the capacity to solve those problems perhaps we do um have the societal and civilization capacity but we don't have the individual organization capacity to work together to do that um but when it comes to security like I truly believe that in a lot of iot devices we simply do not have the capacity to solve those problems so in five years in 10 years when these devices truly have the capacity to solve those problems things will be different and in the meantime there are going to

be people who figure out bits and pieces of that and perhaps the economy the market will will favor them perhaps they won't

absolutely and I look forward to that and that's part of why I left the top of the pyramid open so thanks thank you tip your bartender

thank you thank you Joe uh so we're going to leave the live stream up at the main track in pres Pub so if you want to hang out there this this track will be broadcast over there uh the bar is open and press Pub as well so you can redeem your bar tickets your tickets over there for drinks as well the food you've gotten about 30 minutes to an hour left to grab another lunch if you want it we're going to donate it uh after that and uh oh yeah the big announcement well not big but need to know uh there are bands in pres Pub and Scruffy City tonight if you have your badge you'll be able to get in for

free cool all right yep all right is here for Joe again cool uh and give us a couple more minutes and we'll set up for the next talk [Music]

[Music]