Military technology can be compromised following foreign sales to an ally, accidental loss, or capture during a conflict by an enemy. There is a growing threat of reverse engineering US military systems by Russia and China. On the commercial side, China has a long history of reverse engineering intellectual property of all kinds and then closing its markets to all but Chinese companies. But when this tendency is applied to military systems the stakes are even higher, threatening to erode the US edge in national security. Likewise, Soviets reverse engineered the Sidewinder air-to-air missiles. China extensively learnt from F-117 that crashed in Serbia in 1999 through inspection and analysis of aircraft’s stealth features.
Because U.S. military hardware and software have a high technical content that provides a qualitative edge, protection of this technological superiority is a high priority.
Anti-Tamper (AT) encompasses the systems engineering activities intended to deter, prevent, delay, or respond to reverse engineering (RE) attempts that may lead to compromise of Critical Program Information (CPI) in US weapons systems. AT’s goal is to prevent adversary countermeasure development, unintended technology transfer, or alteration of a system due to RE.
These activities involve the entire life cycle of systems acquisition, including research, design, development, implementation and testing of AT measures. Properly employed, AT adds significant longevity to CPI by deterring efforts to reverse-engineer, exploit, or develop countermeasures against a system or system component.
Determining Anti-Tamper Requirements
The use of AT protective techniques will vary depending on the technology being protected. For example, state-of-the-art technology of a critical nature typically requires more sophisticated AT applications. Some examples of AT techniques include software encryption, integrated circuit protective coatings, and hardware access denial systems
The process of interest can be divided into two main parts: the front half, which involves developing an estimate of the means and probability of exploitation, and the back half, where one determines an appropriate solution to the need once it has been properly characterized.
The first of these steps is to identify the critical technologies that are under consideration for design into a weapon
system. According to the Department of Defense (DoD) 5200.1-M, an essential or critical technology is one that “if compromised would degrade combat effectiveness, shorten the expected combat effective life of the system, or significantly alter program direction.” Access to such information could force undesirable changes to tactics and concepts of operations (conops), premature retirement of a weapons system, or major system design changes to regain some level of effectiveness.
Critical technologies include both software and hardware. Once these technologies have been identified, the “threats” to them are usually ascertained through some process involving “red-teaming” or scrutiny by those experts in friendly and adversarial exploitation. This step consists not only of identifying who might be interested and capable of exploiting identified critical technologies, but why and how they might be exploited. Technologies can be exploited to determine how they can be defeated or how they can be reengineered and improved upon.
…a multidisciplinary counterintelligence threat assessment and a risk assessment are conducted. These assessments provide the basis for any decision pertaining to the protection of the [critical technologies] as part of the overall risk management strategy and the implementation of cost-effective risk mitigation measures (i.e.,
The next two steps consist of identifying both vulnerabilities of critical technologies to exploitation and the actual
means by which they might be exploited. Again, these assessments must look to the hardware and software aspects of a system and their relationship to system performance. These steps are critical to the design efforts going into the weapon system proper, since they usually indicate if and where measures must be taken to protect the constituent critical technologies.
While understanding how a critical technology can be exploited is very insightful, so is projecting what the
impacts would be if exploitation efforts were indeed successful. For example, if a critical technology is exploited, it may result in countermeasure developments that render the weapon system performance inadequate to do the job. By the same token, exploitation may not result in lost capability if other factors are important to the realization of a weapon system’s full performance potential. Another factor that should be considered is the cost to develop replacement technology or to find other means to regain lost military advantage. Such data can be important for determining if the cost of incorporating protective schemes are worthwhile compared to the cost of measures that must be taken once a technology is compromised.
The last step in the front half of the requirements process is to assess possible exploitation timelines that serve to mitigate the need for, or required amount of, AT necessary for a weapon system. To illustrate, consider the impact of the pace of technological advancement in the microprocessor field. When a certain microprocessor, let us say an application-specific integrated circuit (ASIC), is designed into a weapon system, it may indeed represent a critical technology. But when one considers that similar commercial technology will match and overcome the ASIC’s performance capabilities within 3 to 5 years, it may not make much sense to invest heavily in its protection
through AT. The technological advantage will be lost in a relatively short amount of time through means available on the open market.
In contrast, consider the case of protection of software through encryption. Use of more sophisticated means for
encryption may not render a software code absolutely secure, but it might increase the time it takes to break the encryption code by an order of magnitude—ensuring that the weapon cannot be exploited during its expected life.
Once the first six steps of the process are complete, then a preliminary requirement for AT can be stipulated. The second main part or back half of the requirements process consists of four steps. The first of these is to identify AT
techniques that are available to counter the exploitation threats. The nature of the critical technologies requiring protection will naturally provide a first filter for those techniques that may have application. At this stage the alternatives being considered may be quite different even if they have the same end result, that is, to inhibit exploitation. The second step is to select a preliminary set of potential countermeasures that are identified for more indepth analysis. This first “cut” can usually be accomplished by eliminating those options whose affordability or efficacy are clearly unattractive compared to the other options. Typically a top-level look at the countermeasures proposed will surface relative strengths and weaknesses that facilitate this initial tradeoff.
During the third step a traditional engineering design analysis is conducted in which all considerations are accounted for and evaluated. On the weapon system design side such considerations include life-cycle cost, implications for schedule (both development and production), impact on weapon system performance,
ease of manufacture, reliability and maintainability, and safety.
The last step in the AT requirements process is final selection of the favored solution set. This solution may not be
unique; another choice may achieve similar results at a similar cost.
Some of the techniques include
• nonetchable thin opaque coatings applied to semiconductor wafers;
• self-destructing components; and
• cryptography to include encryption and decryption.
Air Force surveyed industry for trusted computing, anti-tamper enabling technologies in embedded computing in 2019
The US Air Force has long been aware of this problem and recently U.S. Air Force researchers are asking the industry for new anti-tamper technologies to help safeguard U.S. military weapon systems from exploitation, reverse engineering, technology theft, and countermeasures.
A basic EoS concept involves security architecture that provides a secure boot with a secure device, often referred to as a root of security (RoS) that verifies and extends security to a second device responsible for CPI processing.
Secure COTS FPGA enabling technologies should enable secure FPGA software that resides on programmable hardware to protect CPI at rest and during run time from known exploitation techniques.
Secure COTS CPI processing should prevent the exploitation of CPI from systems assembled from high-performance COTS parts. The secure COTS architectures will be compatible with defense industry open-architecture design methods to enable upgrades of unsecure systems to more secure versions.
Anti-tamper secure microcontroller technologies should establish and extend roots of trust, and will be compatible with defense industry open-architecture design methods to enable upgrades of unsecure systems to more secure versions.
Volume protection within secure COTS architectures involves technologies to enable volume protection of CPI storage and processing components and software in COTS hardware architectures that can withstand repeated attempts to access CPI and protect CPI during all stages of operation.
Air Force mulls 10-year half-billion-dollar program for anti temper technologies in August 2022
Officials of the Air Force Life Cycle Management Center’s Anti-Tamper Executive Agent Program Office (ATEA PO) at Wright-Patterson Air Force Base, Ohio, released a draft request for proposal (AT2022DraftRFP) in August 2022 for the Anti-Tamper Executive Agent Program Office Multiple Award Indefinite Delivery/Indefinite Quantity Contract (MAC ID/IQ) project.
This requirement is in support of new or ongoing research and development efforts to deliver AT technologies that are resistant to the latest RE methods and to provide AT solutions to weapon systems and platforms protecting DoD CPI or Critical Technology from reverse engineering. AT is a multitude of evolving technologies that require consistent, never-ending refinement. As technologies evolve, so must AT techniques and technologies, to keep pace with the always-growing electrical, electronic, digital, optical, and materials fields.
These technologies include, but are not limited to, software, hardware, component design, component packaging, materials development and application methods, manufacturing, and key management solutions.
TECHNOLOGY AND PRODUCT DEVELOPMENT AREAS
The following sections provide general guidance on the scope of the AT MAC ID/IQ technology and product development efforts required for this effort.
4.1. Secure Processing
The contractor shall establish products and technologies designed to establish and maintain a secure processing environment. These include, but are not limited to, single board computers, custom microelectronics, commercial microelectronics, or modified commercial processing devices. The contractor shall demonstrate techniques to extend security from one device to another. These include, but are not limited to, physical hardware, intellectual property (IP), or software that is used to manage security.
4.2. Volume Protection and Sensors
The contractor shall establish and maintain a secure physical boundary around critical components in products. This includes detection and prevention of non-privileged users from gaining access to the critical components or information contained within. The products include, but are not limited to, protections for Line Replaceable Units (LRU) and Shop Replaceable Units (SRU).
4.3. Cryptographic Protection
The contractor shall design and demonstrate protection of critical information in products and technology through cryptography. These include, but are not limited to, algorithms, cryptographic key generating methods, key storage products, or techniques to reduce the ability of an adversary to gain access to key material.
The results of AT development provide engineers, and system and platform developers the tools and techniques necessary to protect CPI. Each AT development effort attempts to defend against a specific or multiple RE attacks. The specific capabilities are defensive measures including, but not limited to, parts, hardware, firmware, software, materials, data, etc., incorporated into the platform or system protecting against open source or classified attacks. As attacks mature, AT development must mature in a flexible and extensible manner.