Camille Morhardt 00:13
Hi, I’m Camille Morhardt, host of InTechnology podcast. Thanks for joining me as we take a listen and look back at some listener favorite topics from this year. For this episode we’re gonna focus on cybersecurity. And our listeners were curious this year about several facets in cyber security—from firmware attacks to deep fakes.
Our conversation back in January with Jorge Myszne drew a lot of interest. Jorge is the co-founder of Chameleon, which is a hardware security start-up. Former co-host Tom Garrison and I invited him to the podcast to talk about firmware attacks. And Jorge told us that in the last three-to-four years, there’s been a five-fold increase.
Jorge Myszne 00:53
It’s very difficult, one, to detect it, but two, it doesn’t disappear. It’s persistent, right? You turn off your computer, you turn it on and it will load the same malicious firmware again. And if you are a smart attacker, you will disable the update so you can’t change it. So then physically you need to go and remove the flash or do something physically. So it’s very expensive. It’s not just having an antivirus and okay, let’s update the antivirus database. Right? It doesn’t work that way. And if you have it in a server, in a data center with 100,000 servers and you need to find that server and physically go and open it up and do something. That is very, very expensive.
The challenge is that the firmware is loaded before the operating system exists. So all the tools, all the security tools that we use, let’s call it, for example, an antivirus, it’s loaded after the operating system. It’s an application or kind of an application, right? So it happened after the firmware is loaded. So if the firmware is malicious, it’s very difficult for an application to understand that that firmware is malicious. So that’s why we need the root of trust. We need to stop that when it’s happening. And when it’s happening, there is no software. So it has to be done in hardware. We need to have a device in the system that is the root of trust that is in charge of verifying that that is correct, that is authentic.
Tom Garrison 02:32
How do companies protect themself against these attacks?
Jorge Myszne 02:38
Before we get into the system, actually the protection starts in the supply chain. And there are things that we do while the root of trust is added into server motherboard to bind it to the memory so be able to detect if someone changes things. Right? So we try to connect everything in a way that we can detect any changes that happen even before the system is turned on. And then when the system is turned on, we have a manifest, we have a database, we know what it should be there and we need to verify that what we have is there. And eventually we also can interrogate peripherals that are on the system and verify that those peripherals that boot by themselves are also original and authentic.
Camille Morhardt 03:29
Jorge Myszne is co-founder of Chameleon, a hardware security startup.
Our next listener favorite also touched on root of trust, but in this case, trust that your data is secure when you’re using it in the cloud. This is known as confidential computing. And we had the perfect expert, Mark Russinovich, Technical Fellow as well as Chief Technology Officer at Microsoft Azure to explain.
Mark Russinovich 03:58
So confidential computing is the use of hardware to create enclaves or computational containers, where code and data can be protected while it’s in use. And that’s in contrast to the kinds of protections we’ve had up to now which are protecting data at-rest, with encryption at-rest, protecting on the wire with for example, TLS.
And there’s another important aspect to confidential computing, this definition, which is not just protecting that code and data from external access and tampering, but also being able to attest to what’s inside of the container.
Camille Morhardt 04:36
Mark Russinovich spoke with me and guest co-host Anil Rao—an Intel Vice President and General Manager– about some of the leaps made this year toward confidential computing in the cloud.
Mark Russinovich 04:47
We are on the verge of really removing the last kind of caveats on confidential computing to make it ubiquitous. And so Microsoft’s goal, with support at Intel, is to aim for a confidential cloud and that means that our PaaS services will all be confidential, and have that extra layer of defense in-depth, that customers can protect their own workloads with very high degrees of policy controls, and assurances that their data is being protected end to end, regardless of what kind of computations they’re going to perform–AI, ML, data analytics or their own data processing on them. We’ve got confidential virtual machines that allow us to, for example, have confidential virtual desktop in Azure are confidential Kubernites nodes in Azure. And we’re moving to flesh out the rest of that environment of confidential containers, confidential PaaS services. And in fact, we’ve got confidential Databricks we’ve announced in partnership with Databricks.
So this foundation, pieces of landing into place, the barriers to adopting confidential computing are falling by the way; we’ve got confidential GPUs now with working with you, we’ve got TDX Connect to allow complete protection between a CPU and an accelerated device like a GPU. Things are landing in place, and we’re about to enter the phase of, hey, now, the reason will be “why can’t I do competency computing?” It would be why am I not doing confidential computing on the edge?
Anil Rao 06:13
So Mark, one of the things that we know is that, with AI getting so pervasive and data kind of like flowing in so many different areas, we see that training is going to be done most often in a cloud kind of like an environment—not to say that inference is not happening there. But then the models get distributed data gets distributed and inference might happen at the edge, or even like incremental training that happen in something like an edge environment. So given this to be the holistic scenario, what are your thoughts on a SaaS service, like Intel Trust Authority? And what role does it play in order to provide assurance of security for those AI models that may float anywhere from cloud to edge to potentially even devices?
Mark Russinovich 07:05
Yeah, well so a key part of confidential computing, like I mentioned, is attestation, and the verification of the claims that come from the hardware about what’s inside of the Enclave. For somebody that is saying, “Can I trust this thing to release data to it? Or do I trust its answers coming back? And basically, do I trust that is being protected by confidential computing hardware, like TDX, for example, or a confidential GPU?” That attestation report carries a lot of information that’s complex to reason over and come up with a valid “Yes, this is something I trust.” Not only that, but there can be configuration that is part of the attestation report that needs to also be looked at.
And then typically, there’s some policy of “I’ll trust things that are these versions, and that have this configuration, and I won’t trust anything else.” And so for something that is going to establish trust in the enclave or the GPU, it actually simplifies things tremendously if you can offload the complexity of that policy evaluation and verifying that the hardware claims are actually valid and signed by Intel, for example, to an attestation service that does that a complex processing and reasoning and policy evaluation. And so that’s exactly what Intel Trust Authority is, is a system attestation service at the core of it, which takes those claims the relying party, somebody that wants to see if I can trust something can rely on the trust authority to say, “Yeah, this meets the policies that you’ve got and it is valid, confidential computing hardware that is protecting this piece of code, so you can trust releasing secrets to it.”
Camille Morhardt 09:11
That was Mark Russinovich, Technical Fellow at CTO at Microsoft Azure. Our wide-ranging conversation with Mark also discussed data sovereignty, confidential AI, and much more. To listen to the entire episode, which I recommend, click on the link in the show notes.
In the last of our listener favorites on cyber security, we move away data protection, to identity protection. With the advent of more and more powerful AI tools, there have been more concerns about “fake” images, fake videos – commonly known as “deep fakes.” They look and sound authentic, but they aren’t.
In January, I spoke with Ilke Demir, who’s a Senior Staff Researcher at Intel Labs about advances in detecting deep fakes. Ilke is actually one of the creators of a tool designed to pick out the real from the fake in video—now called Deep Fake Detection as a Service using Fake Catcher. We reference it simply as Fake Catcher during this conversation.
Ilke Demir 09:52
Researchers first introduced methods that are looking at artifacts of fakery in a blind way. So the idea is if we train a powerful network on enough data of fakes and reals, it will at some point learn to distinguish between fakes and reals because there are boundary artifacts, symmetry artifacts, et cetera. Well, that is a way of course, and it’s working for some cases, but mostly those are very open to adversarial attacks that have a tendency to over fit to the datasets that they are generated on, and they’re not really open for domain transfer or open for generalization capability of those detectors.
We twisted that question. Instead of asking what is the artifacts of fakery or what is wrong with the video, we ask what is unique in humans? Are there any authenticity signatures in humans as watermark of being human. Following that kind of thought, we have many different detectors that are looking at authenticity signatures.
Fake Catcher is the first one. We are looking at your heart rate basically. So when your heart pumps blood, it goes to your veins and the veins change color based on the oxygen they are containing. That color change is of course not visible to us humans. We don’t look at the video and say, “Oh yeah, she’s changing color.” We don’t do that. But computationally it is visible and those are called photoplethysmography, PPG signals. So we take those PPG signals from many places on your face, create PPG maps from their temporal spectral and spatial correlations, and then train the neural network on top of PPG maps to enable deep fake detection.
We also have other approaches like eye gaze-based detection. So normally humans, when we look at the point, they converge on a point; but for deep fakes it’s like googly eyes. Of course not as visible, but they are less correlated, et cetera. So we collect all the size, area, color, gaze direction, 3D gaze points, all those information from eyes and gazes and train a deep neural network on those gaze signatures to detect whether they’re fake or not.
Camille Morhardt 11:55
So will there be ultimately then some kind of movement toward establishing provenance when videos are made or by provenance, I mean the origin can be proved somehow or tested somehow as the true source?
Ilke Demir 12:10
Exactly. You’re just on that point. I was about to say that. So of course there’s detection as a short term, but for long term there’s media provenance research that is going on and media provenance is knowing how a piece of media was created, who created it, why it was created, was it created with consent? Then throughout the life of media, was there any edits? Who made the edits? Was edits allowed? All of the life of media and what happened to it, will be stored in that provenance information and because of that provenance information, we will be able to believe what we see, saying that, “Okay, we know the source, we know the edited story, et cetera, so this is a legit piece of media, which is original or fake. Because there are so many creative people like visual artists, like studios, and those have been creating synthetic media and synthetic data through their lives, so we also want to enable that.
Camille Morhardt 13:06
Ilke Demir, Senior Staff Researcher at Intel Labs, talking with me back in January about detecting deep fakes. If you want to hear more of the episodes we highlighted today, you’ll find links to each in the show notes for this episode. And as always, you can find InTechnology podcast on your favorite listening platform or at our website intechnology.intel.com.
In a few weeks we’ll have the last of our 2023 listener favorites episodes for you and that one will go in-depth on AI topics from this year. Think Generative AI, synthetic data, learning language models and more. Don’t miss it!