Provably Safe AI – Steve Omohundro

00:00

okay great uh can everybody hear me is

00:03

that sound

00:05

okay don't know if I I can see

00:08

anybody oh great thank you excellent hi

00:12

my name is Ste mundro and thank you so

00:13

much for uh for coming uh today I'd like

00:16

to talk about provably safe Ai and I'd

00:19

like to go through the slides and then

00:21

we can discuss uh all the concepts

00:23

afterward um so let me start here the

00:26

agenda for today is I'm going to argue

00:29

that first power but unsafe AI is

00:31

already here uh that current AI safety

00:34

approaches are important and valuable

00:36

but they're insufficient to the T

00:38

problems that we face that uh I'm going

00:41

to argue that we need to use

00:42

mathematical proof in the laws of

00:43

physics to get guaranteed safety and

00:46

I'll talk about how you could do

00:48

provable software provable Hardware

00:50

provable Social mechanisms and argue at

00:52

the end that we must choose the path of

00:54

human

00:55

thriving so to start we actually already

00:59

have very powerful well we have very

01:01

powerful um AI in the big Labs but we're

01:05

starting to get very powerful AI in open

01:08

source and a few weeks ago uh meta re uh

01:11

started releasing their llama 3 models

01:14

uh they have an 8 billion parameter a 70

01:16

billion parameter and a 400 billion

01:17

parameter model and uh they apparently

01:20

spent $30 billion on the gpus uh to do

01:23

this the the largest model has a similar

01:25

performance to the very best models from

01:27

the labs from gp4 Turbo Claud three Opus

01:30

Gemini Ultra and in the first week uh

01:33

1.2 million downloads of the system uh

01:37

came um just to sort of get a sense of

01:39

what the impact of this type of model

01:41

and they're not the only ones uh you

01:42

know there's the Falcon model out of Abu

01:45

Dhabi there's the mistol models lots and

01:47

lots of Open Source models are

01:48

progressively getting better and better

01:50

they're not quite as good uh as the very

01:52

best uh models in in the commercial Labs

01:55

but they're getting very close the Llama

01:58

3 8 billion parameter model uh somebody

02:01

got running on a Raspberry Pi 5 which

02:04

you can buy at Amazon right now for $93

02:07

and uh apparently not the Raspberry Pi

02:10

but raspberry pies in general have have

02:12

sold 61 million units so if you just

02:15

think about the impact we're going to

02:17

have pretty powerful AIS running on $100

02:21

uh computers uh and they'll probably be

02:24

hundreds of millions of them so that

02:26

that that's should be in the back of our

02:27

minds as we're thinking about safety uh

02:30

the 70 billion parameter model that

02:32

one's getting you know very serious not

02:34

quite as good as the very best models

02:35

but up you know the best models of a

02:37

year ago or something and this is a

02:39

group that has shown how you can

02:40

fine-tune them for any task any

02:42

specialty on a home video cards so using

02:46

two of the RTX 490 you can have a

02:49

machine which is about

02:50

$7,000 and uh using you know a fine

02:53

tuning method called Kora you can get

02:55

extremely high

02:57

performance the 400

03:00

billion parameter model is the one that

03:02

is maybe even better than a lot of the

03:04

top commercial models and I was really

03:07

nervous about that one going open source

03:09

fortunately the rumor from Jimmy apples

03:11

if you've ever seen him not necessarily

03:13

a reliable source his rumor is that they

03:16

won't be open sourcing that and that he

03:17

says that Dustin moscowitz who does the

03:20

open philanthropy Foundation may have

03:22

been responsible for that so if so thank

03:24

you Dustin and it gives us a little bit

03:26

more breathing

03:27

room so what is the lesson from all

03:30

these open powerful open source models

03:32

uh I would say basically that we can't

03:35

AI safety cannot rely only on alignment

03:37

because uh in addition to the wonderful

03:40

aligned models from the labs there will

03:41

be hundreds of millions of models that

03:44

are not necessarily aligned and anyone

03:46

in any country can cheaply fine-tune an

03:49

open source model to create a

03:51

world-class specialized model for

03:53

anything you can imagine Cyber attack

03:55

impersonation manipulation pathogen

03:57

synthesis and so on so I believe that

04:00

for True safety we need to harden the

04:03

infrastructure the human infrastructure

04:05

so that even in the presence of all of

04:07

these uh potentially unsafe models uh we

04:10

we still Thrive and and everything goes

04:14

well um here's a paper showing that uh

04:18

current llms are

04:19

81.7% more persuasive than humans so

04:22

that's a bit disturbing U that suggests

04:25

people are going to start using llms for

04:27

you know trying to sell things for

04:29

trying try to convince you you know who

04:31

you should vote for other persuasive

04:33

things more Darkly we may get a AI

04:36

manipulation bribery blackmail extortion

04:38

intimidation and so on um and so what's

04:42

the lesson from that uh humans should

04:44

not directly control risky actions

04:46

because then you put them in a position

04:48

of being manipulated by AIS and so we

04:51

need to restructure the way we make

04:53

decisions so that uh this type of

04:56

manipulation can't directly cause

04:58

problems

05:00

um the NSA in in the United States

05:03

released a few years ago something

05:04

called gidra a very powerful reverse

05:06

engineering tool that lets you you know

05:09

take code from any kind of a piece of

05:11

software or hardware and figure out you

05:14

know what its structure is and you can

05:16

help use that to help protect it or you

05:17

can use that to attack it uh and so but

05:20

it's very you know sophisticated tool

05:22

that's hard hard to use well somebody

05:24

very helpfully created this g3o which is

05:28

a large language model model that knows

05:30

all about gidra and you can talk to it

05:32

in English and it'll do it all for you

05:34

and so that type of thing suggests that

05:37

many groups will soon have access to

05:39

nation state level Cyber attack

05:41

capabilities um similarly uh this study

05:45

showed that large language model agents

05:47

can auton autonomously exploit one day

05:50

vulnerabilities so if some system a

05:52

router or your operating system has a

05:55

flaw in it uh and that flaw is published

05:58

like they call those one days zero days

06:00

are the ones that you know haven't been

06:01

published yet uh the llm could read that

06:04

generate the code and attack it and so

06:06

that's uh that's a disturbing

06:08

development there's a huge amount of

06:10

work going on right now in using llms

06:13

both to prevent cyber attacks and also

06:16

to to do cyber attacks this survey paper

06:18

here at the bottom uh surveys 180 papers

06:21

doing that so I think the lesson we

06:23

should get from this is that we should

06:25

expect widely available open- Source AIS

06:28

which can exploit the vulnerabilities of

06:29

every common

06:31

system um this is one of many many

06:34

papers which are taking Frontier Leading

06:36

Edge large language models and turning

06:38

trying to turn them into agents so this

06:40

one is uh an agent for automating the

06:42

design of crisper Gene editing

06:45

experiments and they took several copies

06:47

of uh large language models and they

06:49

hook them up in a certain way and then

06:51

it does reasoning it has goals it you

06:53

know can uh operate every all the big

06:55

labs are working on this and uh as you

06:59

get a system which does something if a

07:01

new large language model comes out you

07:03

can just drop them in and so as language

07:05

models improve agents should improve

07:08

very rapidly and so the lesson I think

07:10

we should take from this is that

07:12

powerful agent models are likely to take

07:14

off very rapidly in the next year or

07:17

two so what are our timelines how long

07:20

you know what's going to happen where's

07:21

it going to go uh open philanthropy has

07:23

been doing a lot of study of uh trying

07:26

to really rigorously estimate timelines

07:29

and take off times and they built this

07:31

wonderful tool at takeoffs speed.com

07:34

which lets you put in various

07:35

assumptions about you know what the

07:37

different costs and so on are and they

07:39

use their model which is based on all

07:41

kinds of historical data and they'll

07:43

show you what the outcome of that is um

07:45

Daniel Koka tahal I don't think I said

07:48

his name right uh used to be at open AI

07:51

he's one of the recent AI safety people

07:54

that resigned and he's kind of famous

07:56

because he resigned in a way where he's

07:59

he

08:00

uh he didn't sign their their

08:01

non-disclosure thing um so very

08:03

concerned about AI safety and he gave a

08:06

talk a few months ago where he used this

08:08

model he put in everything he knows as a

08:10

you know as a safety person at open Ai

08:12

and this is what he came up with and

08:14

it's a little disturbing um for him that

08:18

this line is called the wake-up call

08:19

line where you know there's enough

08:21

happening that people start getting

08:23

concerned uh and that's 2025 in his

08:26

model um this line is when 20 % of the

08:30

world's um uh economic activity can be

08:33

automated by AI systems and for his

08:37

model that's in 2026 and then um this

08:40

line is uh when when 100% of the world's

08:45

uh work can be done can be done by these

08:47

models and for him that's around 2027 so

08:51

you know who knows if he's exactly right

08:53

but uh it's reasonable assumptions and

08:55

we're talking you know two or three

08:57

years before very significant

08:59

uh influence on on the

09:02

world so what do we do about this well

09:04

as this wonderful conference is I'm a

09:06

fantastic interesting talks and

09:08

interesting ideas uh a really nice

09:10

summary I think of the current thinking

09:12

is Dan Hendrick's book introduction to

09:14

AI safety ethics and Society totally

09:16

free at this um this URL and uh the two

09:20

biggest sources of problems are

09:22

malicious humans using AI to do

09:24

malicious things and then AI which

09:27

itself is malicious you know the gold

09:29

driven agents and I think we need to

09:31

worry about both of them my sense is

09:32

that malicious humans are the most

09:34

immediate threat um because you know

09:37

they're already using them for you know

09:39

trying to get more clicks on on Twitter

09:42

and trying to extort people and you know

09:44

all kinds of uh bad bad behaviors uh and

09:47

they list the top existential threats as

09:50

things like biot terrorism nuclear

09:51

weapons lethal autonomous weapons and

09:53

cyber attacks so very good very nice the

09:57

what are the basic methods of preventing

09:59

that and

10:02

um I would say the top five methods that

10:05

that I've been looking at at least are

10:07

alignment trying to make sure these

10:08

models have values which are aligned

10:10

with humans red teaming trying to attack

10:13

the models to force them into doing bad

10:15

things and seeing how easily they can do

10:17

that restricting them to non- agentic AI

10:19

tools limiting system power you know the

10:22

United States has put limits on if you

10:24

if you train a model on more than a

10:26

certain amount of compute flops you've

10:28

got to notify the the government pausing

10:30

or halting AI progress there's you know

10:32

the the pause AI group there are various

10:34

letters that that argue for that I think

10:37

all of these efforts are fantastic

10:38

really important very good unfortunately

10:41

I don't think any of these will solve

10:42

the problem many because of these open

10:45

source models so alignment you know you

10:47

align a corporate model great what about

10:50

all the open source models that various

10:52

groups are are playing with red teeming

10:54

red teaming can show the presence of

10:57

problems it can never show the absence

10:58

of problems

11:00

restricting to non- agentic AI tools

11:02

well I think we've got 100 groups who

11:03

are already not doing that limiting

11:06

system power um that could be that's a

11:08

potentially a good thing except many of

11:11

these models run on you know cheap

11:13

Hardware the Raspberry Pi and so uh

11:16

there's some limits in that pausing and

11:18

halting AI progress I think that's great

11:21

uh the trouble is if you're going to

11:22

pause it you need to do something during

11:24

that pause to make the world make it a

11:27

better situation when you finished

11:28

pausing it's a is that thing so what I'm

11:30

going to talk about hopefully are what

11:32

we can do in that in that kind of a

11:34

pause I would argue that we really need

11:36

to take a security mindset and this book

11:38

by Nancy levenson engineering a safer

11:40

world is a very nice study of that in

11:43

everyday things you know how to make

11:45

sure airplanes don't fall out of the sky

11:48

uh unfortunately we're seeing that more

11:49

and more in the news um basically you

11:52

need to model the system model the harms

11:54

that you're trying to avoid model what

11:56

your adversaries capabilities are and

11:58

then create design that have safety

12:00

guarantees against that

12:02

adversary so a group of us um just a few

12:05

I know a week or two ago wrote this

12:07

paper towards guaranteed safe AI a

12:09

framework for ensuring robust and

12:11

reliable AI systems uh which lays that

12:14

out and uh makes those pieces more

12:16

formal and then takes a bunch of other

12:18

proposals and shows where they lie on

12:20

the spectrum of how strong their

12:23

assumptions are and their guarantees are

12:25

and uh I think it's great I think it

12:27

starts putting everybody under a uh you

12:30

know the same same tent um but against

12:33

the strongest AI adversaries if we're

12:35

really dealing with super intelligent uh

12:38

entities unfortunately I think most of

12:40

those methods won't really provide

12:42

guarantees in that case that there are

12:44

only two things that provide absolute

12:47

constraints on super intelligent

12:49

entities and that's mathematical proof

12:50

and the laws of physics well why is this

12:53

well it's because even the most powerful

12:55

AI can't prove a false statement uh even

12:57

the most powerful AI can't create matter

13:00

out of nothing they can't go faster than

13:01

the speed of light they can't make

13:02

entropy decrease so the basic structure

13:05

of the universe provides tight

13:08

constraints and if we can use those

13:10

constraints for human safety that would

13:13

be a great thing and so that's the

13:15

proposal that Max techmark and I did in

13:18

this paper from a few months ago

13:19

provably Safe Systems the only path to

13:21

controllable AGI and I'll I'll sketch

13:24

some of the the uh ideas there I think

13:27

this is just the bare beginning there

13:29

are many many many uh opportunities for

13:32

expanding this and uh so this is really

13:34

more a call to please start you know

13:37

thinking in this direction and uh

13:39

inventing new new ways of uh doing

13:41

things safely so let me start with

13:44

provable software uh so all of this is

13:46

based on mathematical proof so let me

13:48

just give the what do we need for

13:50

mathematical proof uh we have these

13:52

Universal logical languages which allow

13:55

you to express any precise statement so

13:58

you know these logics came from from

14:00

natural language from human language

14:02

where human language has ways of

14:04

describing things but human language is

14:05

very fuzzy and it has probabilistic

14:07

things and so the logicians have sort of

14:10

extracted the concepts from natural

14:13

language and put them in a form where

14:15

you can make say things which are

14:16

absolutely precise and it turns out

14:18

they've now gotten to the point where

14:19

all of mathematics physics computer

14:21

science engineering economics can all be

14:23

expressed in these languages and that

14:26

any statement which is true in all

14:28

models in one of these these formal

14:30

languag has a proof and proofs are these

14:33

um sort of sequences of statements that

14:36

can be checked and there are small fast

14:39

proof Checkers which can check these

14:40

proofs with absolute reliability and so

14:43

that combination of characteristics I

14:44

think is very very powerful for AI

14:46

safety so here is an example of the kind

14:49

of the simplest way that you might use

14:51

this kind of thing let's say you have an

14:53

untrusted AI somebody trained it you

14:55

don't know who let's say it's running on

14:57

hardware and some place you know in the

14:59

middle of the desert somewhere you don't

15:00

trust them uh you don't know what its

15:02

motivations are you don't know if it

15:04

might have some you know hidden agenda

15:06

all of that can you still use that AI to

15:09

do uh work that's of value to you in a

15:12

way that you can trust it so here is a

15:14

mechanism for doing that first of all

15:16

the human never talks directly with the

15:17

untrusted AI because then the AI could

15:19

manipulate you it could kind Tri kind of

15:21

trick you and all kinds of terrible

15:23

things instead the human poses their

15:25

problem or their software requirement if

15:27

they need software or systems

15:29

requirement if they're trying to build a

15:30

a hardware or a social system they

15:33

express it in this in one of these

15:35

precise languages the precise statement

15:37

is then given to the untrusted AI and

15:40

it's allowed to solve it using any

15:41

technique it wants it can use search it

15:44

can use neural Nets it can use

15:45

reinforcement anything you like uh and

15:48

it can run on untrusted Hardware it can

15:50

actually send jobs off to other

15:51

untrusted AI so terrible horrible from a

15:54

you know alignment perspective but

15:57

nonetheless let's say it succeeds if it

15:59

succeeds it gives you the solution but

16:01

in addition to the solution it also

16:03

gives you a proof that is a solution you

16:06

as a human reive the solution and the

16:08

proof you can now run your proof Checker

16:11

which is a teeny reliable piece of code

16:13

there are you know 300 line python

16:15

programs that check one of these systems

16:17

called metam you if it checks the

16:20

solution then it doesn't matter what the

16:22

source of it was you have an absolute

16:24

guarantee that it meets your

16:25

requirements and so that's an example of

16:27

how to move from from untrusted

16:30

potentially dangerous AIS and yet use

16:32

that to build trusted

16:34

infrastructure so there are five

16:37

important logical systems that are

16:39

underlying a lot of the theorem provs

16:42

today and I'll just briefly say what

16:44

they are there's tons and tons of

16:45

literature on them the simplest one is

16:47

called propositional logic was invented

16:49

in 1847 this is basically given a

16:52

Boolean circuit is there an input that

16:54

produces true as the output and there

16:56

are very powerful they call them it's

16:59

called satisfiability there are sat

17:01

solvers Microsoft has one called Z3

17:03

that's quite good in 1885 that was

17:06

extended by including functions and

17:08

variables and quantifiers and uh that's

17:11

first order logic and first order logic

17:13

can really Express anything that can be

17:15

proven and there are some pretty good

17:17

first order logic provs one called

17:19

vampire prover uh in 1922

17:22

mathematicians uh built a first order

17:25

Theory which could express all of

17:27

mathematics and therefore all of you

17:29

know engineering and and physics and so

17:31

on and that's now called zerof Frankle

17:33

set theory and there is a system called

17:35

metamath which pretty directly

17:37

implements that in 1940 uh type theory

17:42

was sort of a parallel uh set of

17:44

developments to set theory and uh it's

17:46

closer to comput computation and

17:48

programming and so on the software side

17:50

computer scientists often like type

17:51

Theory and so in 1940 Church invented

17:54

something that's now called Simple type

17:56

Theory and Isabel is a their improver

17:59

that's based on that and then in the

18:01

1980s um people wanted a richer

18:04

expressive capability they developed

18:06

dependent type Theory and the two

18:08

hottest systems I would say today are

18:10

Koch and lean Koch is more for the

18:13

computer science lean is more for the

18:15

mathematicians um and they're both based

18:18

on this dependent type Theory all of

18:20

these last three are basically equally

18:22

uh expressive and you can convert any

18:25

any statement in any one of them and any

18:26

proof in any one of them to the others

18:28

so it's more a matter of taste which one

18:31

you want to use AI theorum provs are

18:34

moving ahead very rapidly and the reason

18:37

is I think it's quite anal theorem provs

18:39

are very analogous to game AI so we've

18:42

had huge development in you know playing

18:44

chess playing go playing Atari and uh in

18:47

the case of gaming eyes we know what the

18:49

legal moves are and we know when you've

18:51

won same with a theum prover we know

18:53

what steps you can take in a in a

18:55

theorem uh in a proof that are valid and

18:58

you know when you finished proving it uh

19:01

in the 1990s IBM had deep blue for

19:03

playing chess that basically just you

19:05

searched it just searched they built

19:07

special purpose hardware and they were

19:08

able to beat the human uh world champion

19:11

with that um later Deep Mind developed

19:14

Alpha go where they trained a neural net

19:17

on human PL games of go and then they

19:20

combined that with Monte carler tree

19:23

search and the combination was able to

19:25

beat the world's best uh chess uh go

19:27

player then then they said well let's

19:29

not train it on human games and they

19:31

created Alpha zero and it just played

19:34

itself and it learned from its own

19:36

self-play and was able to beat Alpha go

19:39

they also said well let's let's train it

19:41

on chess and Demis hassabis here is

19:43

famous for having said uh that Alpha

19:45

zero starting from scratch became the

19:48

greatest chess playing entity that's

19:49

ever existed in nine hours so I think

19:53

that's an indicator of how rapidly

19:56

things can move when they're able to

19:58

generate their own training data um

20:00

stockfish is a used to be a search-based

20:03

chess player I think it's open source uh

20:06

and but they Incorporated all the ideas

20:08

of alpha zero and I believe stockfish is

20:10

now the world's best chess player and

20:12

then somebody just recently trained in

20:14

llm on stockfish and they created a

20:17

large language model for playing chess

20:18

that uses no search so I think that

20:21

progression is something that's very

20:22

interesting to keep in mind it looks to

20:24

me like the theorem provs are undergoing

20:26

that the classical theorem provs like

20:29

vampire and Z3 they're all based just on

20:31

search with maybe a little bit of heris

20:33

discs in there uh in 2020 open AI uh

20:36

published about gpf f for formal uh in

20:40

which they uh trained a uh large

20:43

language model on 36,000 meta math

20:45

theorems and they were able to prove 56%

20:48

of the heldout theorems in 2022 meta did

20:51

hypertree Proof search which was an

20:53

alpha zero style Monte Carlo tree search

20:56

Transformer and they uh trained on all

20:58

of uh archive math math papers and they

21:01

were able to prove 82% of meta maath

21:03

theorems uh in the time since then there

21:06

have been a whole bunch of Open Source

21:07

provs lean Dojo Lemma reprover Koch Jim

21:11

and that area is really hot a new paper

21:13

just came out yesterday or day before

21:14

yesterday which looks quite

21:16

interesting um we for security we need

21:19

to use cryptography and the world uses a

21:22

lot of cryptography the the net is based

21:25

on cryptography uh public key

21:27

cryptography lets you exchange

21:29

information unfortunately it is

21:31

vulnerable to uh Quantum Quantum

21:34

Computing and so the world is trying to

21:37

sort of upgrade the public key

21:38

infrastructure for post Quantum

21:40

cryptography but it's not looking so

21:42

good here's an estimate of when Quantum

21:44

Computing will be a problem there

21:47

there's a some somewhat um uh there's

21:50

cryptography based on one-way function

21:52

symmetric cryptography AES Jau and so on

21:55

and that is more resistant against

21:57

Quantum computing but it's still not

21:59

proven correct and then there is

22:01

information theoretic cryptography which

22:03

is not very widely used right now

22:05

because it's slightly more inconvenient

22:07

but it's provably safe and so uh I

22:11

suspect we should at least make the

22:12

foundation of the systems we're building

22:14

based on information theoretic

22:16

cryptography so why what is all this

22:19

proof AI proof what what what value does

22:21

it have there's a big area in computer

22:24

science called formal methods where they

22:26

try and you know check programs and make

22:28

sure that they're uh uh correct they

22:31

check the programs in advance what we're

22:33

go what we're proposing here is that you

22:35

have ai systems which are generating

22:38

programs as a part of the natural

22:39

operation of systems correct this is

22:42

nice you know yeah the program has no

22:44

flaws but humans can do that you know

22:46

you think it through well enough and you

22:48

test it a bunch you can kind of get to a

22:50

pretty high level of correctness if

22:52

you're in a security situation then even

22:54

if you have say 0.1% of the inputs are

22:57

flawed attacker can find those and

23:00

exploit those chip design it's even more

23:03

critical because if you have a flaw on a

23:04

chip you got to you know redo it and

23:07

change it Intel had that problem a few

23:09

years ago and they now use lots of

23:10

formal methods um the other benefit is

23:14

that it's not just correctness and

23:15

security but it gives you a certificate

23:17

which is a social thing that says this

23:20

is is correct and that can be used to uh

23:23

combine multiple independent systems you

23:25

can trust work done by untr trusted

23:29

parties and so it's a very powerful I

23:32

believe we need to extend this to

23:33

hardware and so let me just give some

23:35

examples with some a few lessons about

23:37

today's Hardware somebody has an AI

23:39

system that from the sound of you typing

23:41

on your keyboard it can extract your

23:44

password so that says to me the lesson

23:46

is today's password-based cryptography

23:48

is very vulnerable uh this is somebody

23:50

who took a design for a chip and by

23:52

adding one transistor deeply in the

23:54

middle of it they uh basically make it

23:57

so that an obscure your instruction

23:59

sequence uh adds a little bit of charge

24:02

to a capacitor and if you do that

24:03

instruction sequence enough times it

24:05

charges the capacitor up and it opens up

24:07

a back door to the Chip And so you got

24:10

how do you find that if you somebody

24:12

some employee you know is uh doing

24:15

working on your chip so the lesson for

24:17

me is that both Fabs and Manufacturing

24:19

must be

24:20

secured uh the supply chains that we

24:22

have today all kinds of stories about

24:24

adversaries intercepting Hardware on

24:27

Route and

24:28

making changes to it so the lesson is

24:31

today's Supply chains are insecure

24:33

here's an example of a guy who took a $2

24:36

microcontroller chip little teeny thing

24:38

and stuck it into a Cisco firewall using

24:41

I think they say $200 of tools that's

24:44

the little addition and that opens up a

24:46

back door for this firewall uh that

24:49

probably nobody's going to notice in

24:50

today's world uh unfortunately that's

24:53

been happening in military hardware

24:56

here's a story about uh you know

24:58

counterfeit Cisco gear ending up in a

25:01

hardware that's in combat operations so

25:02

the lesson is today's military hardware

25:04

is insecure row Hammer is an exam very

25:08

important but kind of shocking thing

25:10

that all of our drram memory chips today

25:13

if you access them in a certain way it

25:14

can cause bits to bits to flip and

25:16

people are using that to violate

25:18

security I believe the only way to deal

25:20

with this is using uh mathematical proof

25:25

uh our physical locks uh are really

25:27

terrible there's a great YouTube channel

25:28

called the lockpicking lawyer where

25:30

every episode is uh he gets you know

25:33

locks people send him or all kinds of

25:35

locks and he breaks them he opens them

25:37

in about you know a few seconds

25:38

typically every front door lock of

25:40

almost every home is subject to

25:42

something called a bump key uh many

25:44

safes are vulnerable most cars are

25:46

vulnerable so our our physical security

25:49

infrastructure is pretty much a disaster

25:51

right now uh we're getting lots and this

25:54

seems to be the year of the humanoid

25:55

robot there are about 20 humanoid robot

25:57

companies

25:58

we got all kinds of drones we have drone

26:00

boats submarine drones uh miniature

26:03

drones big drones autonomous land

26:05

vehicles and that's only going forward

26:08

more and more quickly and people are

26:09

figuring out how to use llms to uh

26:11

operate them so how do we use

26:14

mathematical proof for Hardware security

26:16

first of all we need formal physical

26:19

world models we need a formal model of

26:21

the powers of of an adversary we need a

26:24

formal safety specification and then we

26:27

generate a formal system system design

26:29

that is provably safe in that world

26:31

model against that class of adversaries

26:33

and so um typically in different

26:35

engineering disciplines they use models

26:38

they use fairly formal models today

26:41

which are built in kind of a stack so

26:43

like for chip design you have uh the

26:46

design of the chip at the circuit level

26:48

you know this gate you know you have a

26:49

gate here and it goes there then you

26:51

have the physical design which is how is

26:53

that circuit laid out on the chip

26:55

physically and and then below that you

26:57

have the physical properties like what

26:59

are the electromagnetic fields so like

27:01

rammer is a problem that the

27:03

electromagnetic fields on the chip are

27:06

causing bit flips that shouldn't be

27:08

there and so uh you need a model which

27:10

can model that and down at the very

27:13

bottom of all these Stacks is uh the

27:16

basic fundamental laws of physics and

27:18

fortunately we're very lucky to have a

27:20

complete model of the laws of physics uh

27:24

called the standard model of particle

27:25

physics plus general relativity here's

27:27

the equation with everything in it uh

27:30

that is believed to be completely valid

27:32

for energies less than about 10 to the

27:34

11th electron volts and away from black

27:36

holes neutron stars in the early

27:38

Universe where quantum gravity and so on

27:40

might be important Sean Carroll this is

27:42

from Sean Carroll's paper the quantum

27:44

field theory in which the everyday World

27:45

subv he's got lots and lots of books and

27:48

papers very interesting if you're

27:49

interested in this and he argues that um

27:52

the world we live in say around the

27:54

solar system uh this core Theory

27:56

completely describes everything of

27:57

course there may be other particles and

27:59

there may be an underlying reality which

28:01

is different but our everyday experience

28:03

of Life only depends on this core Theory

28:05

and so for safety that's what we can

28:08

rest on and I believe we need to use uh

28:12

these kinds of models these kinds of

28:13

formal models to develop trusted

28:16

components which we can compose into

28:18

more powerful uh systems and so the core

28:21

components and my thinking are trusted

28:24

sensing trusted trusted computation

28:26

trusted memory trusted communication

28:28

trusted Randomness trusted raw materials

28:31

trusted actuators and trusted deletion

28:33

and destruction and by combining these

28:35

in various ways you can get trusted

28:36

tamper sensing trusted provenance of the

28:39

history of some physical object trusted

28:42

3D printers where you can actually make

28:44

things that you're guaranteed about

28:45

their structure trusted manufacturing

28:47

trusted Supply chains trusted networking

28:50

trusted energy encryption hiding energy

28:52

in a way that an adversary can't extract

28:55

it trusted robots uh let me just go

28:58

through a few of these quickly uh how do

29:00

we get a physical material in a known

29:02

State you know we've seen you can insert

29:04

back doors into things you can hide them

29:06

in chips you can do put them all over

29:08

the place what if your raw materials

29:10

have have little Nanobots hidden inside

29:12

them or something like that well

29:13

fortunately from the laws of physics

29:16

turns out we know what the strongest

29:17

chemical bond is something called

29:19

protonated hydrogen dinitrogen I don't

29:21

know what that is uh steel melts at

29:24

1500° tungsten melts at 3,000 de all IAL

29:28

structure is destroyed by 10,000 de so

29:30

if you really really really want to be

29:32

sure just melt whatever it is at a high

29:34

temperature and now you've got something

29:35

in a known State and you can build up

29:37

from that uh similarly for fluids and

29:39

gases you can distill them in different

29:41

ways um to have a device where you're

29:44

sure no one has attacked it know today's

29:47

computers are quite vulnerable and

29:49

somebody could sneak in and uh you know

29:51

read your hard drive or whatever um you

29:54

need something uh you need anti-tamper

29:56

systems and here's an example of one

29:57

which which I think is quite nice you

29:59

incase whatever the thing you're trying

30:01

to protect uh in a a container and you

30:04

have a radio transmitter and a radio

30:06

receiver inside that container and it

30:09

learns the signature whatever is in that

30:11

container and if it that signature

30:13

changes that means something has

30:15

happened there's some kind of a a

30:16

tampering going on and in their

30:18

experiments they can detect a 16 mm

30:21

insertion of a needle with a diameter is

30:23

.1 mm so that's an example of with a

30:26

very simple first order thing you can

30:28

get detect very subtle uh attempts at

30:31

attacks uh Apple has been building this

30:34

apple secure Enclave into all of their

30:36

products Macs MacBooks iPads iPhone

30:39

Apple watch Apple TV homad that has all

30:42

the elements you really need for good

30:44

cryptography it has a truly random uh

30:46

physical random number generator on it

30:49

it has a unique ID which is not you

30:51

can't read off the chip for identity it

30:53

has Hardware encryption has encrypted

30:55

memory and it has some level of tamper

30:58

protection zeroz I think is a critical

31:01

technique it's actually back from the

31:03

1960s which is the idea that if you

31:06

detect tampering you delete your

31:08

cryptographic keys and so that means if

31:10

you got a system with sensitive

31:11

important information in it and an

31:13

attacker tries to attack it you probably

31:16

can't prevent them from blowing it up or

31:17

cutting it open but if you detect any

31:19

tampering you can delete the

31:20

cryptographic keys and so all the

31:22

information in it is useless and the

31:24

adversary can't take over the system and

31:27

so that's a very important uh primitive

31:30

property uh of this and you can do

31:31

similar things for things which take

31:33

physical actions like if you have a

31:35

robot you could have fuses and its

31:37

actuators that get blown in the case of

31:39

a tamper detection or in a biological

31:42

laboratory for example you could have

31:43

acid that gets mixed into the biological

31:46

samples under detecting of of tampering

31:49

so by composing these pieces you can

31:52

build up much more uh interesting and

31:54

complex pieces of Hardware if you

31:56

combine tamper sensing with zeroz you

31:58

get something we call approvable

32:00

contract this is a little module little

32:02

device that can do comp secure

32:04

computation which is guaranteed to be

32:06

the computation you think it is can do

32:09

provably correct cryptography and

32:10

communicate with other approvable

32:12

contracts and if anybody tries to attack

32:14

it or open it it deletes the keys and so

32:18

it's totally secure in that sense out of

32:20

those you can build proably secure

32:22

networks by combining provable contracts

32:24

with information theoretic cryptography

32:26

you can do provable uh provenance you

32:29

can make provable robots that only do

32:31

exactly what you think they're going to

32:33

do that nobody can get in there and and

32:35

take it over you can have provable

32:37

materials you can do provable

32:39

manufacturing and you can build provable

32:41

Supply chains and so using these kinds

32:44

of ideas you can build up an an

32:46

infrastructure human infrastructure

32:48

which is not vulnerable to attack by

32:50

even the most powerful

32:53

agis so uh using once you have that

32:57

Hardware you can use it to do new kinds

32:59

of social mechanisms as well and we're

33:02

just barely beginning to think about

33:03

this area I think there's huge

33:05

opportunity um so here are just a few

33:07

examples of things we do today and what

33:09

the new uh approvable version of it

33:12

might look like so today we have voting

33:14

but voting is insecure people are always

33:16

saying you know people are cheating on

33:18

the ballots and they're counting them

33:19

wrong and so on uh using those provable

33:22

contracts we can have proven aggregation

33:25

of uh individual semantic preferences in

33:28

in a sort of guaranteed way today we

33:30

have surveillance you know surveillance

33:32

cameras and either you have privacy or

33:34

your all your information is available

33:36

to everyone uh in this world of provable

33:39

Hardware you can create controlled

33:41

sensing say cameras which provably do

33:44

not reveal any information about what

33:45

they're looking at unless say they see a

33:47

gun and then they reveal it for that

33:49

would be an example you could do today

33:51

many people are calling for human in the

33:53

loop particularly around autonomous

33:55

weapons and so on the trouble is as we

33:58

talked about humans are vulnerable to

34:00

manipulation threats and bribery and so

34:02

on so I don't think we want humans in

34:04

the loop uh I rather shift it to the

34:06

human creates the loop so humans decide

34:09

what the rules are for operating

34:11

something but you don't want a human in

34:13

the middle of it while things are

34:14

happening I believe uh today we have

34:17

humans running factories but then the

34:19

humans are manipul manipulable uh

34:22

instead we need provable provable robots

34:24

maybe combined with human teleoperation

34:26

then we can have Factory spaces where we

34:28

have absolute guarantees that they're

34:30

doing what they're supposed to be doing

34:32

uh today we have biometric identity um

34:35

we can uh extend that to provable

34:37

contract identity with provenance today

34:40

we have all kinds of social dilemmas and

34:42

molok and you know um we we we've got

34:45

the the um prisoners dilemma using these

34:49

provable contracts you can put joint

34:52

provable constraints over multiple

34:53

agents and so you can guarantee that

34:56

agents work together in the way that

34:58

they would like to and so I think you

35:00

can really transform the nature of

35:02

economic interaction using some of these

35:05

Technologies today we have laws but

35:07

they're only you know partially uh

35:09

enforced uh here we can have meta

35:11

contracts which are provably guaranteed

35:13

to govern uh contracts underneath them

35:16

today economics goes for profit

35:18

maximization often at the expense of

35:21

individuals uh we can design a new sort

35:24

of social benefit maximizing system that

35:26

includes the ex alities of actions today

35:29

we have arms races and uh with this type

35:32

of Technology we could have guaranteed

35:34

joint agreements so I think the

35:35

potential is there for huge benefits uh

35:38

but it certainly needs huge lots of

35:40

flushing out so what happens next if we

35:43

keep on with today's sloppy technology

35:45

and the AIS get better and different

35:47

groups you know have open source

35:48

versions I think we're going to see

35:50

increasing AI powered cyber attacks

35:52

we're going to see disruption of