Nine years ago, a U.S. Navy EP-3 reconnaissance aircraft made an unauthorized emergency landing at a Chinese air base on Hainan Island in the People's Republic of China. The stricken electronics intelligence aircraft landed in China after a mid-air collision with a Chinese J-8II jet fighter caused severe damage to the EP-3. While reasons for the incident are in dispute, the so-called "Hainan Island Incident" was perhaps the defining event that brought electronic anti-tamper technology to the forefront of military avionics and electronics planning and development.
The EP-3 is an electronic intelligence (ELINT) aircraft designed to monitor electronic signals from radio communications, cell phones, radar, and other electronic emissions. Like all the rest in the nation's EP-3 fleet, the one involved in the Hainan Island Incident had sensitive information and technology aboard. Despite the crew's attempts to destroy flight computers, tactical computers, hard disk drives, and other important equipment before landing on Hainan Island, it is believed that at least some sensitive and/or secret military information fell into the hands of the Chinese government as a result of the emergency landing.
Since that time nearly a decade ago, U.S. military officials have vowed to make it as difficult as possible for foreign nations to obtain sensitive U.S. information and technology resulting from a similar incident ever again. They are doing this with so-called "anti-tamper" technology, which seeks to slow or prevent the unauthorized reverse engineering of U.S. electronic equipment, computers, software and other critical technologies that give the U.S. and its allies a military advantage.
Hainan Island Incident
It was the morning of April 1, 2001, as the U.S. EP-3 Aries four-engine turboprop reconnaissance aircraft from U.S. Navy Fleet Air Reconnaissance Squadron One, which was based at Kadena Air Base on Okinawa, Japan, neared the end of a six-hour ELINT mission about 70 miles away from Hainan Island, China. Just after 9 a.m. local time, two Chinese J-8 jet fighters from Lingshui air field on Hainan approached the Navy reconnaissance plane.
China says the Navy plane was violating Chinese air space, while U.S. officials say they were operating in international air space. At any rate, one of the Chinese fighters made two close passes beside the slower and less-maneuverable Navy EP-3, and started a third close pass when the fighter collided with the reconnaissance aircraft, causing the fighter to break apart and crash, and the Navy EP-3 to drop into a steep dive before its pilot regained control of the aircraft.
Although the EP-3's pilot managed to re-establish level flight, the aircraft sustained serious damage to one of its four propellers, left aileron, and nose-mounted radome, which was ripped completely off the aircraft during the collision.
The EP-3 pilot had a tough choice to make: he could order the crew to bail out of the airplane, ditch the damaged aircraft in the sea far from home, or take a chance at landing at the nearest air field, which was Lingshui on Hainan. The Navy pilot, Lt. Shane Osborn, decided to make for Lingshui, but ordered his crew to destroy as much of the airplane's sensitive equipment as possible en-route.
Crew members of the EP-3 reportedly tried to smash computer gear and hard drives with hammers, and even tried pouring coffee into disk drives and computers in attempts to destroy them to keep sensitive information out of Chinese hands. Chinese authorities never granted the Navy plane permission to land at Hainan, which also is the location of a Chinese ballistic missile submarine base. When the stricken plane touched down on the Lingshui runway, it was met by armed Chinese soldiers, who took the plane, the crew, and the onboard equipment into custody.
The crew of the Navy plane was held in China for 10 days. Their aircraft and equipment were dismantled, stripped, closely examined, and ultimately returned to the Navy crated in pieces. Despite the best efforts of the EP-3 crew, Navy officials believe the Chinese were able to gain valuable intelligence data from their examination of the aircraft and its equipment; evidently stronger measures than hammers and hot coffee would be necessary to keep critical information out of the wrong hands.
Within months of the Hainan Incident, some of the first anti-tamper policy memos started circulating in the U.S. Department of Defense (DOD), and by the next year "it was really starting to pick up," says Jeff Hughes, division chief for the ATSVI Technology Office at Wright-Patterson Air Force Base in Dayton, Ohio. The ATSVI Technology Office originally stood for Anti-Tamper Software Protection Initiative, yet today its mission has expanded to encompass hardware as well as software. The ATSVI Technology Office Website is at www.at.dod.mil.
The ATSVI office, which was stood up in 2003, is the DOD's primary technology-development arm for anti-tamper efforts. The ATSVI office is in place to support the DOD's anti-tamper executive agent, which is the U.S. Air Force, Hughes says. The DOD's principal focal point for anti-tamper efforts is the assistant secretary of the Air Force for acquisition.
It is the ATSVI's job to work with the U.S. military services, with the defense industry, and with academia develop technology and capability that enables anti-tamper across the DOD -- or to prevent, slow, or otherwise discourage the proliferation of U.S.-developed military technologies among terrorists and potential U.S. national adversaries.
"The over-arching issue is we want to enhance our U.S. and coalition capability by making additional exports of defense technology, and extend the life of coalition warfighting activities," Hughes says. "Sensitive technologies in our weapon systems are called 'critical technology,' or 'critical program information,' and are contained in software and hardware. Anti-tamper is a systems-engineering approach to blending the best possible security and technical controls on critical technologies."
The core of U.S. military anti-tamper policy is contained in DOD Instruction 5200.39, entitled "Critical Program Information Protection within the Department of Defense." The latest iteration of DOD Instruction 5200.39 came out in mid-2008, and lays out policy that anti-tamper hardware and software to protect critical military information must be designed into new defense systems and systems upgrades from the beginning.
Critical program information -- often referred to as CPI -- must be identified early in the technology development, acquisition, and sustainment process, refined at each major stage of development, and tangible steps taken to protect any data or technology that gives the U.S. a military advantage over its adversaries.
"We are in wars, and we lose things in battle," Hughes explains. "We sell things to friends, who sometimes lose things in battle. Our international partnerships are such that you want to know what's been sold and what capability is out there. Our anti-tamper efforts are to help slow technology proliferation, and to prevent or slow technology alteration."
Anti-tamper technology can involve friends as well as adversaries. The U.S. sells much sophisticated military technology each year to allies around the world. While U.S. leaders want this technology in the hands of the nation's friends, they do not want U.S.-developed technology altered or improved in any way they don't know or understand.
"The government wants to know and track exactly what they have sold and given away, and what they haven't," says Tim Teitelbaum, chief executive officer of anti-tamper software specialist GrammaTech Inc. in Ithaca, N.Y. "We want to know exactly what are the capabilities that we are selling." Part of the anti-tamper game is preventing allies from using U.S.-developed military technology in unauthorized ways. Trap doors or other hidden code, for example, can be inserted into U.S. technology sold overseas to prevent its use in case of a hostile regime change. U.S. officials do not want those trap doors deactivated.
Due to its sensitive nature, details of anti-tamper technologies largely are classified secret so as not to give away how to keep the secrets. Generally anti-tamper approaches are designed to keep potential adversaries guessing. "Do you want to have one uniform approach -- is there one right answer -- or do you want to have different approaches for each system," Hughes asks. "It really depends on the trade space you are working in. Both types of solutions exist, and both have a role."
A determined adversary bent on reverse engineering captured technology eventually will find the key for access, most anti-tamper experts believe. Essentially anti-tamper is a cat-and-mouse game where both sides learn from the other's mistakes. For this reason, anti-tamper approaches often are continually changing -- in the system's original design, as well as in its periodic upgrades.
"If you look at anti-tamper, the fact that a weapon system uses anti-tamper is not classified, but the kind of anti-tamper is classified," explains Dan Tarantine, executive vice president of White Electronic Designs in Phoenix, which is in process of being acquired by Microsemi. White Electronic Designs specializes in anti-tamper technology for smart munitions guidance.
"We will see a continual evolution of the technology and the lessons learned," Hughes says. "We are not a completely new initiative, but we are still in the formative stages where we bring together and educate a larger and larger number of people. In the life of DOD acquisition, anti-tamper is a fairly new initiative; it's still a work in progress."
There are things we can do to prevent unauthorized access into a system. If you look at anti-tamper, the fact that a weapon system uses anti tamper is not classified, but the kind of anti-tamper is classified.
Anti-tamper technology can be applied to software as well as hardware -- and sometimes the best anti-tamper approaches involve both. "There is a whole procedure in how you identify the critical things that must be protected, and it is across the board," explains GrammaTech's Teitelbaum. "What are the key algorithms, and other parts, that give us a key advantage -- and the parts that we don't want monkeyed with? It's a very, very hard problem."
GrammaTech software engineers are experts in the manipulation of software source code and binary code to enable reverse engineering as well as to prevent reverse engineering. "Some of our solutions involve looking at the source code and recompiling, while other solutions add protection to that," Teitelbaum says.
Some software approaches to anti-tamper can involve a simplistic binary code rewriting, which is like a software patch. "The binary code remains pretty much unchanged -- except for that patch," Teitelbaum says. "One alteration you might do is to cut out parts of the code from the CPU program executable, put them in an FPGA, and modify the code so it interacts with that FPGA."
In this way, systems engineers might isolate certain crucial parts of the code from the main program software. "In a network attack, the attacker might not even know the FPGA is there," Teitelbaum explains. Another software approach of anti-tamper involves software obfuscation -- making the code hard to understand. Still, ultimately the program has to run -- and it has to run unscrambled.
Even though pure software-obfuscation approaches are limited, they still have a role in anti-tamper because obfuscation "slows people down a little bit," Teitelbaum says. "There is really no perfect solution here, but we have to consider how long would it take for people to crack it."
More elegant software anti-tamper approaches involve a technique called "melt, stir, refreeze," which involves a radical alteration of software code. "Melt is to reverse engineering the executable," Teitelbaum explains.
"We think of an executable as an ice cube; everything is locked in there," he says. "We can reverse engineer it into a representation that is like a fluid. The stir is the modifications; once you have the thawed representation you can do the stir anyway you want, and then refreeze it into another executable. If the stirring involves excising critical pieces of the software, then you have removed from the software the things you don't want the attackers to see. You need to put those components somewhere else. At least if you felt the critical algorithm in the CPU program was risky, then pulling it out eliminates that risk. You put the risky part elsewhere where it is harder to crack, or you double the cost of reverse engineering."
Another anti-tamper approach to software can involve using an interpreter, which is a similar approach to Java machine code. "This involves replacing the machine code with an interpreter and byte codes," Teitelbaum says. "Pervasive rewriting could enable you to use interpreter code; you could excise the code from the machine instructions and put it in byte codes."
Once anti-tamper experts have an approach that works well, they must take care to keep it secret, Teitelbaum warns. "If you have a great solution, maybe you don't want to use it in every system, and just save it for the crown jewels. An environment for doing many different things is advantageous," he says. "This is an arms race; every offense has its defense."
Anti-tamper approaches that involve hardware can range from placing crucial software code in FPGAs to physically destroying crucial components through explosions or large jolts of electricity. "What we will do is destroy the microcircuit before they get to the algorithms" says Tarantine of White Electronic Designs.
"It can be a physical destruct with protective coating; it can be a serpentine mesh where they actually break the current going to the mesh; it could be a diode that triggers on X-ray, so X-raying the device causes an event to happen. I can have a diode that will count the radiation and once it reaches a certain level may use a pyrotechnic event to blow the chip up."
White Electronic Designs specializes in circuitry that provides GPS-based smart munitions guidance to mortar rounds and other battlefield munitions. Anti-tamper is particularly important in this line of business. "In these guided munitions, we launch them, they communicate with satellites, and if they are in the range of the GPS coordinates to the target, they charge a capacitor and the munition detonates," Tarantine explains.
"If the munition is outside of the GPS targeting coordinates, however, we don't want it to explode because it can cause collateral damage. The bad guy wants to get the munition, take it apart, and try to get to the encrypted algorithms."
Anti-tamper technology is not for the casual practitioner, Tarantine warns. "There really are only a few of us in the world that do what we do," he says. "The barrier for entry for this is quite high. You need a secure facility, and a communications security account through the NAS, you need a bunch of cleared employees, and you need to build the equipment and write the software yourself."
Some suppliers of military electronics equipment do not actually supply the anti-tamper technology, but they design their components to facilitate the insertion of anti-tamper means at a later time. "We provide an FPGA that enables them to implement their own strategy for anti-tamper -- our customers who are providing a systems solution," says Aaron Lindner, engineering manager for embedded computing specialist Extreme Engineering Solutions (X-ES) in Middleton, Wis.
"There is also voltage monitoring that we provide that enables the customer to react to any tampering," Lindner says. "How the FPGA reacts to its external interfaces that leave the card is controlled by the FPGA. Any problems they detect, such as attempting to decrypt, they can prevent those interfaces from leaving the card. We have anything that is not on volatile memory traverse through the FPGA so our customers can write their own code before it goes to the CPU."
Anti-tamper and COTS
Much anti-tamper technology that exists today is custom-developed, and one challenge of this arena is to blend anti-tamper capability with commercial off-the-shelf (COTS) hardware and software. One company at the forefront of COTS and anti-tamper is Curtiss-Wright Controls Embedded Computing in Leesburg, Va.
"We are bringing anti-tamper enabling technologies into our products and into the COTS market for our customers to leverage the COTS proposition to save them time and money," says Joey Sevin, business development manager Curtiss Wright. "We sell directly to the prime contractors, and we believe we are helping them save time and money by using COTS technology."
The Curtiss-Wright Trusted COTS initiative has three components that involve anti-tamper technology: protecting critical technologies; protecting critical data; and trusted processes to protect against counterfeit parts, Sevin says. Protecting against counterfeit parts can be particularly important in anti-tamper because these parts can contain hidden software or access points to enable an adversary to compromise them at critical times.
One point that Curtiss-Wright emphasizes is raising the importance of anti-tamper early in the systems-design process. "In the anti-tamper world, when people have to add something to a system later on after development, that can be costly," Sevin says. "We are advocating -- and DOD is as well -- to get protection plans in early the design process. We are inviting our customers to get involved early, and to get to the table the enabling technologies we have, as well as our partnerships, to minimize costs and meet schedules."
The importance of anti-tamper technology in aerospace and defense systems cannot be taken lightly, Sevin says. "It is a problem that has to be resolved," he says. "Everyone is putting a lot of effort into this problem, and to get involved early in the process. It is happening, and people are finding solutions. The whole industry is stepping forward."