Semiconductor Engineering’s Ed Sperling has published extracts of a round-table with Rambus’ Helena Handschuh, Microsemi’s Richard Newell, and Galois’ Joseph Kiniry on the impact the open RISC-V instruction set architecture (ISA) can have on security.

“With open source, you have the opportunity to review it and come up with comments, feed it back to the community, and as a group you can advance maybe not faster but better,” explains Handschuh. “You have more hands. Everybody is available to give you constructive comments, and then you can work together to make it better. That means you start from something that is open and published, and then you evolve it together by adding things and creating white papers.

“We will have [security] issues with RISC-V, as well, and it will be hard to change the hardware. But globally we’re better off because we all learn from each other how to make it better, so that the next time around we can improve. Making things open and public always will help, rather than waiting until someone actually finds a problem and then nobody knows how to fix it.”

“I’m very optimistic for the future,” adds Newell. “We dodged some bullets where RISC-V wasn’t susceptible to attacks like Spectre and Meltdown. But that doesn’t mean it isn’t susceptible to some other kinds of timing analysis attacks. There is a broad range. I have great hope we will be able to develop RISC-V chips without timing analysis vulnerabilities in the future. We have work to do. It will take a few years. But I’m pretty confident we’re going to get there. We’re going to be able to create much more secure chips in the future.”

“The big challenge I see is one of resources,” concludes Kiniry. “We need the right set of expertise. We have working groups set up, with the core set of actors and the right set of expertise in people who have been given the time by their companies to contribute. But we need more people and resources from companies willing to give people a day a week, and we need more resources from government to help out with this.”

The full security-focused extract can be found on Semiconductor Engineering now.