Vintage Computing for Trusted Radiation Measurements and a World Free of Nuclear Weapons - Moritz, ALX
34c3 - Hardware & Making - 12/29/2017
Eliminating nuclear weapons will require trusted measurement systems to confirm authenticity of nuclear warheads prior to their dismantlement. A new idea for such an inspection system is to use vintage hardware (Apple IIe/6502) instead of modern microprocessors, reducing the attack surface through simplicity. In the talk, we present and demo a custom open hardware measurement system based on gamma spectroscopy.
Twenty-five years after the end of the Cold War, there are still about 15,000 nuclear weapons in the arsenals of the nine nuclear weapon states. After an era of transparency, cooperation, and confidence-building in the 1990s, progress in nuclear arms control has slowed down in the 2000s and is currently in a crisis. The newly negotiated Treaty on the Prohibition of Nuclear Weapons (“Ban Treaty”) and the 2017 Nobel Peace Prize have given new attention to the enduring threat posed by these weapons and the urgency of further reductions. Any further progress toward nuclear disarmament will have to rely on robust verification mechanisms, especially while there is limited trust among relevant states. This requires trusted measurement systems to confirm the authenticity of nuclear warheads based on their radiation signatures. These signatures are considered sensitive information, the systems have to be designed to protect them. To accomplish this task, so-called “information barriers” have been proposed. These devices process the sensitive information acquired during an inspection, but only display results in a pass/fail manner. Traditional inspection systems rely on complex electronics both for data acquisition and processing. Several research efforts have produced prototype systems following fundamentally different design philosophies, but it has proven difficult to demonstrate that hidden switches and side channels do not exist. After almost 30 years of research and development, no viable and widely accepted system has emerged.
We pursue a fundamentally different approach: Our prototype of an inspection system uses vintage hardware built around a 6502 processor. The processor uses 8-micron technology (about 600 times larger than current 14-nanometer technology) and has only about 3500 transistors. Vintage hardware may have a number of important advantages for applications where two parties need to simultaneously establish trust in the hardware used. CPUs designed in the distant past, at a time when their use for sensitive measurements was never envisioned, drastically reduce concerns that the other party implemented backdoors or hidden switches on the hardware level. Today, the design of the 6502 is de-facto open source, and several projects have explored the hardware in great detail (visual6502.org, monster6502.com). The technology is so basic that it would be difficult or impossible to surreptitiously implement extra functionalities that could be used to leak secret information. For the same reason, however, using vintage hardware also comes at a price, as the performance of the inspection system is limited, and data acquisition and processing has to be designed and highly optimized accordingly.
In this talk, we demonstrate the performance of the inspection system in an actual inspection setting. For this purpose, we built a prototype system using an Apple IIe and a custom-made open-source data-processing board connected to a sodium-iodide radiation detector for low-resolution gamma spectroscopy. Data processing and analysis is exclusively done on the Apple IIe hardware. In inspection mode, the Apple IIe is used as an information barrier, and the result of the analysis is simply displayed by a green/red (pass/fail) LED on the data-processing board. To wrap up, we discuss the broader context required for verifying deeper cuts in the nuclear arsenals and demonstrate the system as part of a notional inspection scenario, including its capability to detect basic cheating scenarios, in which a dishonest party presents an invalid item that has a different radiation signature.