Improving Trust in Information Barriers through Separate Provisioning of Hardware and Firmware

Year
2024
Author(s)
Jay K. Brotz - Sandia National Laboratories
J. Kyle Polack - Sandia National Laboratories
Peter Marleau - Sandia National Laboratories
Michael Hamel - Sandia National Laboratories
Thomas Weber - Sandia National Laboratories
Aaron Nowack - Sandia National Laboratories
James Davis - Sandia National Laboratories
Rachel Helguero - Sandia National Laboratories
Steven Hammon - Sandia National Laboratories
Abstract

Warhead confirmation measurements have been proposed for verifying compliance with nuclear arms treaties and agreements in cases where the authenticity of an object presented as a nuclear warhead must be confirmed. While a number of techniques show promise for these measurements, a major challenge remains for each party in an agreement to trust the measurement system. The host party needs to demonstrate compliance while protecting sensitive information about their nuclear weapons, including likely data from radiation or other measurements on warheads. An information barrier can be designed to protect that sensitive data, though the inspecting party, which needs high confidence in the measurement result, needs assurances that the information barrier is functioning as expected and not allowing a false result to be reported. Expanding on the red-black separation concept created on the Trusted Radiation Identification Project (TRIS) more than 20 years ago, we present a new design concept in the Modular ReProgrammable Information Barrier project with a system architecture aimed at maximizing inspector confidence while maintaining host requirements for information protection. The concept includes a red side for processing sensitive measurement data and transferring a non-sensitive result to the black side for communication with the user, just as in TRIS. In a novel expansion of this concept, the red side hardware is provided by the host party, while the red side programming (firmware) is provided by the inspecting party. In addition, each party provides their own black side, and the system is designed to allow this three-way communication. In this work, authentication and certification aspects of this design will be discussed from the perspective of mitigating host and inspector concerns. These design choices maximize host party trust that sensitive information cannot be communicated to inspectors while maximizing inspector party trust that the system is computing and communicating accurate and complete results.