
Titan in depth: Security in plaintext - nealmueller
https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-security-in-plaintext.html
======
danielvf
Beyond the secure boot, this is really cool

"...Titan cryptographically associates the log messages with successive values
of a secure monotonic counter maintained by Titan, and signs these
associations with its private key. This binding of log messages with secure
monotonic counter values ensures that audit logs cannot be altered or deleted
without detection, even by insiders with root access to the relevant machine."

~~~
colllectorof
If you trust the software you booted (which seems to be the main feature), why
would you need a hardware module to sign your logs? I.e. what additional
attack scenarios does hardware-based log signing prevent?

~~~
demosthenes111
The best security is like an onion. Let's say something goes wrong/funky and
you're concerned an outside actor may have somehow gained access to the
"secure" system. Can you trust your logs?

------
sbarre
Pardon my ignorance in hardware matters, but I would assume Google gets these
manufactured via a third-party.

What would be the process for verifying that the chip itself has not been
compromised during manufacture?

Is this a hardware + software verification combo, so a tainted chip would not
be recognized as valid by the software - so you'd need to compromise both to
bypass?

~~~
kurthr
Typically, a digital chip such as this is designed with Verilog (or VHDL in
europe) for RTL. Most hardware compilers then also provide test vectors (for
registers and logic) and built in boundary scan through SPI. When contracting
the chip your in-house design software then generates GDS (semiconductor mask
design format) which you provide to the vendor. Even without obfuscation, it
would be enormously difficult to reverse engineer enough of the design to pass
the boundary scan test vectors. Certainly, after manufacture you can decap and
check that the product matches the mask.

There are various extra design and production steps I'd go through for crypto
verification and test, but it would be difficult to fake a chip if they allow
verification after SMT on the PCB. After that, physical access and fairly
sophisticated methods could bypass it, but you're already trusting TehGoog...
so NoSuchAgency shouldn't be your concern.

~~~
buildbot
Unfortunately this is still susceptible to attacks like this:
[http://jantsch.se/AxelJantsch/papers/2016/ChristianKrieg-
ICC...](http://jantsch.se/AxelJantsch/papers/2016/ChristianKrieg-ICCAD.pdf)

Which is focused on attacking an FPGA, however the general idea of injecting
hard to detect hardware via the tools themselves is a real problem.

------
bluegate010
Hey HN, I'm one of the engineers on the team behind Titan, feel free to AMA.

~~~
kop316
Hello!

I am curious about a couple of things:

Assuming you use Intel chips, how do you manage to trust the firmware/ME from
them? Do you write your own BIOS to ensure that it is safe? Or do you use
ARM/PowerPC/other ISA and have an entirely open source stack?

Does the Titan assume no phyiscal access? And if you do assume someone could
steal the chip/try to reverse engineer the chip, do you have anything in it to
stop an adversery? I would wonder if there would be a private/nation state
agency would want access to certain secrets so bad that they would try to
alter it physically, rather then through root access.

~~~
bluegate010
Both the Titan chip and all software that runs on it are designed entirely in-
house, so we have full control over the stack. And we do have physical
tampering countermeasures in place.

------
bobbypage
I wonder how this type of security hardware compares to other clouds (AWS,
Azure, etc...)? Do they have something comparable?

~~~
nellydpa
AWS and Azure most likely (not publicly announced) are working on hardening
their servers. Based on
[http://ca.reuters.com/article/technologyNews/idCAKCN1B22D6-O...](http://ca.reuters.com/article/technologyNews/idCAKCN1B22D6-OCATC?utm_source=34553&utm_medium=partner):

"Neither Amazon.com nor Microsoft - which hold 41 percent and 13 percent of
cloud market share, respectively, according to Synergy Research Group - have
said if they have similar features."

------
pcunite
The red circuit board/chip image in the article is not of the actual chip. May
I see it?

The caption reads, "Photograph of Titan up-close on a printed circuit board",
which is unfortunately untrue:

[https://1.bp.blogspot.com/-027iovJ94yk/WZ8ZDw4MNvI/AAAAAAAAE...](https://1.bp.blogspot.com/-027iovJ94yk/WZ8ZDw4MNvI/AAAAAAAAEUM/LHjr4KnsLjw-L5owy2RJinEC2VqdIbECACLcBGAs/s1600/titan-1.png)

~~~
bluegate010
We've actually got Titan earring swag we'll hopefully start distributing at
upcoming recruiting / customer events, so images may start cropping up in
short order.

Why earrings? See the Titan announce video[0].

[0]
[https://www.youtube.com/watch?v=kwnWfHq2EfQ&t=1882](https://www.youtube.com/watch?v=kwnWfHq2EfQ&t=1882)

------
colllectorof
I've heard about this chip, but I still don't get what specific scenarios it's
designed to prevent compared to "traditional" secure boot. The article lists a
lot of things Titan does without going into what practical benefits all of
those features offer compared to the current industry practices.

~~~
bluegate010
A couple practical benefits of Titan is that we can use it in many different
environments where traditional secure boot is not available. For example,
we're using it in both servers and in our custom networking card.

In addition, traditional secure boot doesn't give us a hardware root of trust,
nor does it enable tamper-evident logging.

------
egberts1
Oh. This chip is a fail, security-wise.

~~~
rhencke
Can you explain your thoughts in more detail? What about it do you feel is a
failure, regarding security?

------
Simon_says
What does any of this matter against National Security Letters? There's no
place safe in the US.

~~~
Buge
Titan is not a protection against National Security Letters, it's a protection
against hacking. NSA, China, and Russia have all successfully hacked Google or
Google accounts in the past.

National Security Letters can be challenged in court. You fight legal attacks
with legal defenses. You fight technical attacks with technical defenses.
Although swapping them does give rise to some interesting techniques. Legally
challenging technical attacks can be tricky due to jurisdiction, but it would
be cool if Google could at least try suing the countries that attacked them.
Technical defenses against legal attacks can also sometimes work, by building
systems where the company themselves don't have access, such as E2E crypto.

------
pmlnr
News like this make me sad. google is becoming a government agency-like
customised fortress from the cold war, and general computing gets phased out,
just like Cory Doctorow said.[^1] Technologically, it's fantastic, but I do
not welcome the philosophy it's bringing.

[^1]: [https://techcrunch.com/2015/04/18/on-the-war-on-general-
purp...](https://techcrunch.com/2015/04/18/on-the-war-on-general-purpose-
computing/)

~~~
Buge
I agree with Doctorow that it is a problem if I the consumer am prevented from
making my computer do what I want by secure boot.

But Titan doesn't really have that problem. Google owns the computers, and
Google can make the computers do what they want because they have the signing
keys.

If Titan-controlled devices were sold to consumers with no way to disable it,
that would be a problem.

