Hardware-Enabled Verifiability as a Data Center Security Property
Summary
Onni Aarne advocates for hardware-enabled verifiability as a crucial security goal in future AI data centers, enabling external auditing of operations and safety-relevant properties.
SESSION Transcript
Hi. Hello everyone. I'm Onni Aarne. As Bell just said, I do compute policy at the Institute for AI Policy and Strategy.
And yeah, the topic today is hardware-enabled verifiability as a data center security property, which is kind of abstract, but for context, as has been discussed in tons of talks today, people are very excited about building lots of data centers now. And many people are also concerned about making sure that those data centers are secure for tons of reasons that have also been discussed at this conference.
But what I would like to argue for is that it would be useful to consider verifiability as one sort of security property that these data centers should maybe ideally have. And so what I mean by verifiability is the ability for the center operator or user to make verifiable claims about the configuration and operation of the data center to third parties.
So to give examples of existing technologies in this vein, platform attestation is something that already exists and allows various devices like CPUs and GPUs and network chips in a data center to verify to third parties that it is a real NVIDIA chip, for example, and that it has the latest security updates and so on. And confidential computing is another related technology that builds on that platform attestation to then create a verifiable confidential enclave or trusted execution environment inside of a GPU.
And importantly, confidential computing also allows verification of what code is running inside of that trusted execution environment. And then you can bootstrap other verification on top of that, which I believe actually one of the later talks will discuss. So the proposal is that these technologies, which currently exist in a patchwork, could be extended to cover an entire data center and combined with verifiable physical security, such as tamper-evident security cameras that third parties could access and verifiable access controls to create a data center that is verifiably secure.
And then you could use these attestation capabilities to verify what is actually happening inside of that data center. Ideally, this would be done in a way that is privacy-preserving. So you would be able to make claims, for example, about the general architecture of a model without revealing the weights of the model or maybe all of the code that was used to run it, and so on.
This kind of verifiability would have several commercial benefits which would help motivate it, and already is helping motivate these technologies because it improves customer trust in these systems and allows verification to third parties such as regulators. So labs, for example, could prove that they are actually complying with security requirements moment to moment. And also deployment abroad could be more secure.
But the maybe more interesting benefit from this would be that you could potentially use this for verification at the international level in the future. So there has been some discussion in earlier talks, for example, about the need for international verification. And you could use these kinds of technologies to verify, for example, that a particular model is being deployed with particular safeguards in place to prevent certain kinds of misuse, or maybe prove that a particular model has a particular architecture, such as having human-readable chain-of-thought, which some people think would be a useful property to mandate.
So concretely to actually make this a reality, there is a need for two things. One is R&D to actually develop all of these protocols for attestation and verification and technologies for physical security. But also, very importantly, much of this kind of exists but hasn't been standardized. And it can't be mandated as a policy matter.
And you can't have agreements about it really, if you don't have precise standards that specify what you're talking about. So yeah, if you're interested in helping either make those kinds of standards happen or make the technology itself happen, please come talk to me around here or email me.
I'm onni@iaps.ai. Yeah, thanks.
And yeah, the topic today is hardware-enabled verifiability as a data center security property, which is kind of abstract, but for context, as has been discussed in tons of talks today, people are very excited about building lots of data centers now. And many people are also concerned about making sure that those data centers are secure for tons of reasons that have also been discussed at this conference.
But what I would like to argue for is that it would be useful to consider verifiability as one sort of security property that these data centers should maybe ideally have. And so what I mean by verifiability is the ability for the center operator or user to make verifiable claims about the configuration and operation of the data center to third parties.
So to give examples of existing technologies in this vein, platform attestation is something that already exists and allows various devices like CPUs and GPUs and network chips in a data center to verify to third parties that it is a real NVIDIA chip, for example, and that it has the latest security updates and so on. And confidential computing is another related technology that builds on that platform attestation to then create a verifiable confidential enclave or trusted execution environment inside of a GPU.
And importantly, confidential computing also allows verification of what code is running inside of that trusted execution environment. And then you can bootstrap other verification on top of that, which I believe actually one of the later talks will discuss. So the proposal is that these technologies, which currently exist in a patchwork, could be extended to cover an entire data center and combined with verifiable physical security, such as tamper-evident security cameras that third parties could access and verifiable access controls to create a data center that is verifiably secure.
And then you could use these attestation capabilities to verify what is actually happening inside of that data center. Ideally, this would be done in a way that is privacy-preserving. So you would be able to make claims, for example, about the general architecture of a model without revealing the weights of the model or maybe all of the code that was used to run it, and so on.
This kind of verifiability would have several commercial benefits which would help motivate it, and already is helping motivate these technologies because it improves customer trust in these systems and allows verification to third parties such as regulators. So labs, for example, could prove that they are actually complying with security requirements moment to moment. And also deployment abroad could be more secure.
But the maybe more interesting benefit from this would be that you could potentially use this for verification at the international level in the future. So there has been some discussion in earlier talks, for example, about the need for international verification. And you could use these kinds of technologies to verify, for example, that a particular model is being deployed with particular safeguards in place to prevent certain kinds of misuse, or maybe prove that a particular model has a particular architecture, such as having human-readable chain-of-thought, which some people think would be a useful property to mandate.
So concretely to actually make this a reality, there is a need for two things. One is R&D to actually develop all of these protocols for attestation and verification and technologies for physical security. But also, very importantly, much of this kind of exists but hasn't been standardized. And it can't be mandated as a policy matter.
And you can't have agreements about it really, if you don't have precise standards that specify what you're talking about. So yeah, if you're interested in helping either make those kinds of standards happen or make the technology itself happen, please come talk to me around here or email me.
I'm onni@iaps.ai. Yeah, thanks.
