We started working with Tortuga Logic two years ago beginning with a CEO interview so it is time to do an update. The venerable Dr. Bernard Murphy did the first interview with Jason which is worth reading again, absolutely.
Security is also one of the vertical markets we track which has been trending up for the last two years. In looking at the analytics Tortuga Logic has had a great couple of years as well but first let’s start with Jason’s official biography from the Tortuga website:
“Dr. Jason Oberg is Chief Executive Officer and co-founder of Tortuga Logic, where he is responsible for overseeing the company’s technology and strategic positioning. Dr. Oberg works closely with the Tortuga Logic team to facilitate capital, partnerships and revenue on all products and services. As a leading expert in hardware security, Dr. Oberg brings years of intellectual property and unique technologies to the company. His work has been cited over 700 times and he holds six issued and pending patents. He received his B.S. in Computer Engineering from UC Santa Barbara and an M.S. and Ph.D. in Computer Science from UC San Diego.”
Where did the company name come from?
The company was formed out of decades of hardware security research at UCSD and UCSB and we wanted to incorporate something aquatic (because both universities are on the ocean) and with something that represents protection and security. Tortuga (spanish for Turtle) was the conclusion because they live in the ocean and have a secure shell (you can see this on our logo). We of course chose Logic because we work closely with hardware. Hence Tortuga Logic was born.
Tortuga Logic is at a unique intersection of cybersecurity and hardware design. What security weaknesses is your company addressing?
Tortuga Logic is focused on identify digital issues in modern ASIC, SoC, and FPGAs that are either weaknesses in the logical design itself or the system firmware executing on the system. In general, the types of weaknesses we cover make up the majority (80%) of the existing hardware Common Weakness Enumerations (CWEs) list as maintained by MITRE.
What markets have the most at stake from a hardware security vulnerability?
Security is all about risk reduction, so the markets that have the most at stake financially are the ones that are the most sensitive to preventing hardware security vulnerabilities. From a semiconductor market perspective, a hardware vulnerability influences the security of the entire end system, so you must think vertically about the impact of hardware vulnerabilities.
That said, we see IIoT, Automotive, and Datacenters as being among the markets at the highest risk from a hardware vulnerability. These markets have felt the pain of recent hardware vulnerabilities in Bluetooth Low Energy IoT devices, Microarchitectural side channels in large application processors, and decentralized platform security in the datacenter to name a few. Aerospace/Defense is also a very important and sensitive market to hardware vulnerabilities, with the lowest tolerance for risk. Much of our technology has been DoD funded so there is a keen interest there.
What is driving the increase in hardware security vulnerabilities?
We really see 3 key factors contributing to this: 1) Modern SoCs are becoming increasingly more complex hardware software systems, 2) There’s been a surge of awareness around the ability to break into entire systems by finding hardware vulnerabilities, 3) Root of Trust initiatives, while extremely important and fundamental to building a secure system, are filled with mistakes primarily due to item (1).
Interestingly enough, as more focus is put into building security features deeper into hardware, the more attackers are focused on breaking them. They know if they can break the hardware barrier, they can then break into the system. Unfortunately, this is getting easier to accomplish given semiconductor devices are becoming so complex in both gate count and firmware.
How do does one place value on a security product, is it not like insurance?
Insurance really isn’t the right word, because security companies are not paying out claims after a vulnerability is found. That said, it is about financial risk reduction and being able to effectively measure the investments made against the reduced risk. Doing nothing puts you at the highest risk. If the cost of a vulnerability is extremely low, then doing nothing is probably fine because the financial risk is very low. However, the vast majority of markets the semiconductor market serves does have very high risk and thus investments in security do show measurable reduction in that risk.
Are there industry initiatives driving hardware security and how do you see them playing out over the next couple of years?
There are some very important initiatives that have recently started, and I highlighted one of them at the beginning of the interview. Specifically, MITRE in late February announced a taxonomy of common hardware weaknesses. The Common Weakness Enumerations (CWEs) have been used extensively by the software community to effectively classify the most impactful software weaknesses.
This new release 4.0, driven initially by Intel and MITRE with contributions from our security team at Tortuga Logic, allows for effectively capturing the most impactful hardware weaknesses. This is an important initiative because it will allow the industry to more transparently state what are the highest impact hardware weaknesses and suggested mitigations. This will allow everyone to build more secure systems and provide more transparent techniques for measuring effectiveness.
About Tortuga Logic
Founded in 2014, Tortuga Logic is a cybersecurity company that provides industry-leading solutions to address security vulnerabilities overlooked in today’s systems. Tortuga Logic’s innovative hardware security verification solutions, Radix™, enable System-on-Chip (SoC) and FPGA design and security teams to detect and prevent system-wide exploits that are otherwise undetectable using current methods of security review. To learn more, visit www.tortugalogic.com or contact email@example.com.