Shop OBEX P1 Docs P2 Docs Learn Events
A new kind of code protection - Page 5 — Parallax Forums

A new kind of code protection

12357

Comments

  • cgraceycgracey Posts: 14,206
    TonyB_ wrote: »
    The fuses have gone - just let go.

    Let it go, let it go...

  • Heater.Heater. Posts: 21,230
    Those Disney guys sure know how to play on ones emotions:

    "My soul is spiraling in frozen fractals all around."

    What?

    Welcome to Finland. I feel better already !


  • cgraceycgracey Posts: 14,206
    A few years ago, EVERY little kid was singing that song (boy's too). I think adults became permanently tired of it. I did, anyway.
  • Let go of the fuses, don't let go of other ways to prevent or deter cloning and software theft.
  • evanhevanh Posts: 16,032
    jmg wrote: »
    ...
    "High security enabled by AES-128 cryptography, high assurance boot (HAB), TRNG and on-the-fly QSPI flash decryption"

    the on-the-fly QSPI flash decryption sounds impressive.
    That'll be a necessity for secured XIP in insecure locations.
  • Phil Pilgrim (PhiPi)Phil Pilgrim (PhiPi) Posts: 23,514
    edited 2017-10-24 02:02
    Tony_B wrote:
    Let go of the fuses, don't let go of other ways to prevent or deter cloning and software theft.
    There are no other ways, absent user-writable NV bits on-chip. But, yes, forget security, and forge ahead!

    -Phil
  • How hard could it be?

    https://arstechnica.com/information-technology/2017/10/crippling-crypto-weakness-opens-millions-of-smartcards-to-cloning/

    Of you can put a little non-obvious piece of your solution in a separate secure cheap micro then that's always a possibility. Not just a dongle, but something actually part of you solution. Maybe it could just handle serial interfaces or PWM or ...
  • Um, why are there more replies here? Fuses are gone, code protection is outside of the P2 now, so there is absolutely no reason to keep trying to put some insecure attempt back in.
    Just stop.
  • Thanks, Roy. I can't, for the life of me, understand why this thread still has legs.

    -Phil
  • Do you guys view this as a distraction to Chip, so you are trying to protect him? Or believe that it's damaging to Parallax in some other way? If so, perhaps writing directly to Chip and Ken would be the way to go?
  • KeithE wrote:
    Do you guys view this as a distraction to Chip, so you are trying to protect him? Or believe that it's damaging to Parallax in some other way?
    Neither. It's a steadfast assuredness, based upon amateur cryptography's record of zero success, that this thread is both spurious and a total waste of time and resources.

    If someone here had a Ph.D. in number theory and combinatorics, plus twenty years' experience in applied cryptographic security, and had some ideas to consider, they'd be worth listening to. But that will never happen, given the stated system constraints (i.e no writable NV bits).

    -Phil
  • Ok. I can’t disagree with that. There are plenty of ways to use off the shelf crypto in ineffective ways. At this point if nobody has managed to protect a P1 design - then it’s either not a real problem or ...
  • rjo__rjo__ Posts: 2,114
    OK... the title is..."A new way of code protection" by Chip Gracey.
    Chip didn't name it: "Let's just forget security issues."

    Let's accept that there is no perfect security. Let's also accept that there is a potential market for anything that tends to make code theft more difficult. Let's also admit that anything developed for the P2 might have general applications for other mcu's.

    None of that says to me that this discussion is off track or spurious.

    It might be a waste of time, but only if a reader is interested in the topic but doesn't learn anything from the thread.
    (Phil would be a good candidate:)

    I find it hard to believe that all amateur attempts have had zero success... that not one theft was prevented. But even if it is true,
    that doesn't prove or really even suggest that it is impossible.

    When we were developing medical software, we used a dongle.

    No-one ever stole a line of code, but I doubt that anyone really tried. Small market, everyone knows everyone. If they couldn't buy you or bribe you, they really didn't proceed. When we were doing more interesting work, the Government stole my lead programmer. Nothing you can do about it... if it is really valuable, and you aren't a fairly large company... sell out and find a new project.

    Adding a few layers of security will deter a lot of theft. Working in areas where there is a tiny market will deter theft too.

    Phil is right... it looks like any external encryption can be broken, but that doesn't mean it is a waste of time to talk about it.







  • Phil Pilgrim (PhiPi)Phil Pilgrim (PhiPi) Posts: 23,514
    edited 2017-10-24 05:47
    rjo__ wrote:
    Adding a few layers of security will deter a lot of theft.
    If I believed that were true, I would not be so adamant about exposing the frivolity of attempts to do so.

    The fact is that Parallax must either sell a system that's truly secure or disavow any possibility that it can be made secure. There is no middle ground. If they tried to claim even a modicum of security when it cannot be guaranteed, they expose themselves to liability when such security is compromised. And it will be.

    This isn't like some small town wherein the locks on peoples' doors can be breached with a #10 sheet metal screw and a claw hammer (e.g. Kwikset locks).

    But it's still a deterrent, right?

    No.

    By designing and marketing a new microcontroller, Parallax will be diving head-first into a world that doesn't suffer half-solutions. When you enter the water, you enter the food chain. And it ain't pretty: there be sharks about.

    -Phil
  • cgraceycgracey Posts: 14,206
    edited 2017-10-24 06:29
    Rjo__ is right about a dongle, though.

    Imagine if you had the smallest, cheapest MCU acquirable (SOT23-5, $0.25) connected to one I/O pin. You have ongoing send/receive communication with it. 99.99% of activity can be for show, but the 0.01% can be some meaningful activity that validates your security status. Say the Prop2 dongle-check code is scrambled PASM in the flash image, but gets unscrambled at run time, for use. This could be a pain to unravel, and not worth the trouble. It's actually more than any likely customer would need, given that the Prop2 is bound for expensive low-run-rate products that aren't going to attract the level of interest that a $0.05 computer stamped into a smart payment card would receive.

    What if the liitle MCU gets completey configured with code and a random number on each download to flash. Just click a check-box and set the pin number in a download-settings menu and it's taken care of. Tell the world that it's not totally secure, but can be tailored over time to keep the attackers busy. I wouldn't want to attempt to unravel that.
  • Chip,

    I stand by my comments. There is nothing short of writable NV memory on-chip that will provide Parallax any standing to make a claim of program security to its customers. But the P2 will not have that kind of memory, and that's okay.

    "Keeping the attackers busy" is a pipe dream. I think you'd be shocked how quickly such a system could be breached, given a dedicated attack. There are people who will see it as a challenge to crack, just for fun. And they will succeed.

    I hope you're not stressing over code security, as the P2 will still have plenty of market appeal without it. It's time to put security concerns behind you and move on. Please.

    -Phil
  • cgraceycgracey Posts: 14,206
    edited 2017-10-24 07:59
    Okay. I'll let it go.

    I once had a few consecutive days when I was 17 years old, where I was certain that I had found a way to reliably compress 24 bits into 20 bits. I had visions of running that thing like an infinite compactor, so that I'd be able to make a small file that could decompress into every game my ISEPIC had cracked on the Commodore 64. That was so exhilarating! People told me it wouldn't work, but I knew better.
  • Cluso99Cluso99 Posts: 18,069
    edited 2017-10-24 09:01
    True story.

    In the early 80s I designed and coded a board that used two single chip micros with internal uv eprom, and not much else. The tiny pcb replaced a huge board full of logic. The raw cost was small compared to the time that went into coding the software. So there was a big markup to cover the development costs. The micro I used was touted as secure although I was fairly sure that the manufacturer may have a way that they weren't releasing.

    I sold them in the hundreds in Oz. they were attached to a mini computer.

    On a visit from the parent company to Oz, the rep wanted to take one of our boards back home. The local guy we dealt with told the visitor that I used a micro that couldn't dump the code as he suspected that was what he wanted it for. After that info, the guy no longer wanted a unit.

    A year later the parent company brought out a knock-off single chip micro. They didn't understand what my software did, so there were areas where their unit failed. So I continued to supply Oz, and then picked up NZ and the USA too.

    If they had been able to dump my code it would have been easy to see what I did, and their device would have worked.

    Some 30 years later, someone did find a way to work out the code loaded in the micro.

    I have also used other methods to obfuscate code in some of my other designs.

    There are so many stories out there of ip theft. Some of the biggest companies are not immune from deliberately stealing ip and when found out embarked on legal tactics to prevent paying up. Compression in MSDOS 6 rings a bell.

    Unfortunately the anticipated use of P2 is in small volumes with large margins, which are precisely the targets for ip theft.
  • ErNaErNa Posts: 1,752
    Once a upon a time I understood that transistor are current amplifiers so I bought a bunch of power transistors (AD..) to get rid of the electrolytics in my powersupply. ..
    kapersky now open sources, because it makes no sense to try to hide, that the virus scanner is a spy and in the end noone will figure out, how this feature is implemented. ;-) Safety is just a feeling, and we should hand over this task to the NRA, in the end more lives will be lost by code protection than by code stolen
  • There is off-chip battery-backed RAM available. With that, you could store a decryption key in the battery ram, and put a tripwire in your manufacturing box that kills the battery when you open the box. I've seen that before in "high security" applications. That has no requirements on the prop at all.
  • How big is the ROM and will it be used just for booting?
  • cgraceycgracey Posts: 14,206
    TonyB_ wrote: »
    How big is the ROM and will it be used just for booting?

    It's 16KB, but we are only using a tenth of it.

  • cgracey wrote: »
    TonyB_ wrote: »
    How big is the ROM and will it be used just for booting?

    It's 16KB, but we are only using a tenth of it.
    Time to add the Forth interpreter! :-)

  • cgraceycgracey Posts: 14,206
    David Betz wrote: »
    cgracey wrote: »
    TonyB_ wrote: »
    How big is the ROM and will it be used just for booting?

    It's 16KB, but we are only using a tenth of it.
    Time to add the Forth interpreter! :-)

    Interesting. A Forth monitor?
  • Phil Pilgrim (PhiPi)Phil Pilgrim (PhiPi) Posts: 23,514
    edited 2017-10-24 15:45
    David Betz wrote:
    Time to add the Forth interpreter!
    All smilies aside, that would be super cool! But is there time?

    -Phil
  • cgracey wrote: »
    David Betz wrote: »
    cgracey wrote: »
    TonyB_ wrote: »
    How big is the ROM and will it be used just for booting?

    It's 16KB, but we are only using a tenth of it.
    Time to add the Forth interpreter! :-)

    Interesting. A Forth monitor?

    Yes! Get Peter to write it for you.

  • But why? That just complicates the boot sequence for a feature that's not going to be used 99.9% of the time. Not only that, but it cannot be updated. Just stick to loading a monitor (of your choice) over serial when it's needed.
  • cgraceycgracey Posts: 14,206
    edited 2017-10-24 16:37
    It's true that a whole Forth could be squirted in with a single paste:

    > Prop_Txt 0 0 0 0 fkjhsdfkjlshdfkas897sdf987asdf978asdf987sdf987sdf ...etc.

    So could a monitor. Or a whole IDE.
  • DrPopDrPop Posts: 227
    edited 2017-10-24 16:38
    David Betz wrote: »
    Time to add the Forth interpreter! :-)

    That would be very cool if Peter is willing. Definitely looks like there's room for it!
Sign In or Register to comment.