In 1883, Auguste Kerckhoffs published six rules for military cryptography in La Cryptographie Militaire. One of them withstood the test of time and has become known as Kerckhoffs’s principle, which stresses the need for “secret keys instead of secret algorithms.”
Figure 1. Auguste Kerckhoffs established basic principles for modern electronic security. Image used courtesy of HEC Paris.
Translated from French, Kerckhoffs’s principle states that “the system should not depend on secrecy, and it should be able to fall into the enemy’s hands without disadvantage.” Or, as the father of the information age, Claude Shannon, put it, “the enemy knows the system.”
The Fallacy of Security Through Obscurity
Were he alive today, Kerckhoff would have had little time for the concept of “security through obscurity” in silicon. That’s because once a motivated attacker gets their hands on a device, there are a variety of software and hardware exploits and techniques that can reveal what may otherwise have been intended as secret design information.
Of course, the compromise of ‘secret’ IP in silicon can happen prior to manufacture too. With large teams, secrecy becomes difficult to maintain, and the attack surface grows. Exploits that lead to data exfiltration (as happened to European chipmaker NXP) are not uncommon.
For these reasons and others, security through obscurity is dangerous, argues Columbia professor Steven M. Bellovin, “Hiding security vulnerabilities in algorithms, software, and/or hardware decreases the likelihood they will be repaired and increases the likelihood that they can and will be exploited by evil-doers.”
Embracing Kerckhoffs’s Principle With Open Source
By contrast, the transparency of open source IP development aligns with Kerckhoffs’s principle. At its best, a global community of developers, researchers, and security experts collaborate in the spirit of continuous improvement. This way of working can allow vulnerabilities to be discovered rapidly, assessed rigorously, and patches and updates created and distributed quickly.
However, transparency is a somewhat double-edged sword, as an open design repository (and its accompanying issue tracker) could potentially disclose—and possibly even explain—vulnerabilities to malicious actors who are, as a result, better able to exploit them.
In a similar vein, an open source system may be vulnerable to sabotage by malicious contributors if that project’s maintainers are not vigilant. In one (now infamous) example, a security researcher discovered that a backdoor had been inserted this way into XZ Utils, a set of open-source command-line tools and libraries for lossless data compression. This backdoor would allow remote unauthenticated attackers to achieve remote code execution on the infected systems.
This is a genuine concern but can be addressed. Ultimately, the best mitigation for maintainer risk is to work with well-funded open source projects that have dedicated project stewards, high-quality governance processes, and the resources to undertake regular security reviews.
Open Source Silicon Is Not the Same as Open Source Software
Another important consideration is that while open source silicon development is in many ways similar to that of software, there are also many fundamental differences between the two, as shown in Table 1.
Table 1. Key differences between typical open source software and silicon projects
Software | Silicon Design | |
Available skilled engineers | Many | Few |
Tooling | Largely free | Mostly proprietary & expensive |
Design turnaround | Months | Years |
Bug fixes after deployment | Straightforward | Often impossible |
End product | Virtual | Physical |
100% open IP for end product | Often possible | Currently impossible |
In particular, silicon hardware projects have a physical supply chain, high costs of production and distribution (both in terms of money and time), and the inability to ‘release early, release often.’ Therefore, they must be able to attract significant multi-year funding and have the heavyweight governance to go along with that if they are to deliver commercially relevant outputs.
Where Best To Focus the ‘Open’ In Open Source Silicon?
It is also important for open silicon projects to focus their efforts on those areas where full transparency is feasible for commercially viable designs. That’s why the most successful open silicon designs (such as OpenTitan and Caliptra) have devoted the most resources to opening up architecture, digital design, design verification, and firmware, as illustrated in Figure 2.
Figure 2. Commercially relevant open silicon projects take a focused approach. Image used courtesy of lowRISC [click to enlarge]
They are relying on open ISAs, such as RISC-V, and less on open PDKs, analog IP, or fully open source EDA tooling flows (although the landscape continues to evolve).
Open Source Does Not Mean Unmanaged
In the final analysis, there are a few risks with closed, proprietary systems that are more pronounced in their open source equivalents. However, open source designs hold major trump cards: their transparency and antifragility allow them to be rigorously tested and validated. So, the real challenge for open source projects is maintaining sufficient levels of resourcing and management to ensure that this vital work can be done and is done.
Kerckhoffs’ principle remains as relevant today as it was more than a century ago. Open source systems are inherently aligned with it, prioritizing transparency over obscurity. Of course, working in (or with) open source carries its own unique risks, which is why it’s so important for such projects to keep their governance, management, and maintenance aspects fully shipshape.
Done well, this unlocks the power of the open source community—with its collective expertise and shared commitment to improvement—to deliver systems where security is derived from peer review, continuous testing, and community-driven innovation.
Industry Articles are a form of content that allows industry partners to share useful news, messages, and technology with All About Circuits readers in a way editorial content is not well suited to. All Industry Articles are subject to strict editorial guidelines with the intention of offering readers useful news, technical expertise, or stories. The viewpoints and opinions expressed in Industry Articles are those of the partner and not necessarily those of All About Circuits or its writers.