Professional Documents
Culture Documents
Machine Learning Robotics Security and Privacy: Hardware
Machine Learning Robotics Security and Privacy: Hardware
Machine Learning
Robotics
Security and
Privacy
Evolving Career
Opportunities
Need Your Skills
Explore new options—upload your resume today
STAFF
Editor Publications Portfolio Managers
Cathy Martin Carrie Clark, Kimberly Sperka
Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society. IEEE Headquarters, Three Park Avenue, 17th
Floor, New York, NY 10016-5997; IEEE Computer Society Publications Office, 10662 Los Vaqueros Circle, Los Alamitos, CA 90720; voice +1 714 821 8380;
fax +1 714 821 4010; IEEE Computer Society Headquarters, 2001 L Street NW, Suite 700, Washington, DC 20036.
Postmaster: Send address changes to ComputingEdge-IEEE Membership Processing Dept., 445 Hoes Lane, Piscataway, NJ 08855. Periodicals Postage
Paid at New York, New York, and at additional mailing offices. Printed in USA.
Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in
ComputingEdge does not necessarily constitute endorsement by the IEEE or the Computer Society. All submissions are subject to editing for style,
clarity, and space.
Reuse Rights and Reprint Permissions: Educational or personal use of this material is permitted without fee, provided such use: 1) is not made for
profit; 2) includes this notice and a full citation to the original work on the first page of the copy; and 3) does not imply IEEE endorsement of any third-
party products or services. Authors and their companies are permitted to post the accepted version of IEEE-copyrighted material on their own Web
servers without permission, provided that the IEEE copyright notice and a full citation to the original work appear on the first screen of the posted copy.
An accepted manuscript is a version which has been revised by the author to incorporate review suggestions, but not the published version with copy-
editing, proofreading, and formatting added by IEEE. For more information, please go to: http://www.ieee.org/publications_standards/publications
/rights/paperversionpolicy.html. Permission to reprint/republish this material for commercial, advertising, or promotional purposes or for creating new
collective works for resale or redistribution must be obtained from IEEE by writing to the IEEE Intellectual Property Rights Office, 445 Hoes Lane,
Piscataway, NJ 08854-4141 or pubs-permissions@ieee.org. Copyright © 2021 IEEE. All rights reserved.
Abstracting and Library Use: Abstracting is permitted with credit to the source. Libraries are permitted to photocopy for private use of patrons,
provided the per-copy fee indicated in the code at the bottom of the first page is paid through the Copyright Clearance Center, 222 Rosewood Drive,
Danvers, MA 01923.
Unsubscribe: If you no longer wish to receive this ComputingEdge mailing, please email IEEE Computer Society Customer Service at help@
computer.org and type “unsubscribe ComputingEdge” in your subject line.
IEEE prohibits discrimination, harassment, and bullying. For more information, visit www.ieee.org/web/aboutus/whatis/policies/p9-26.html.
2469-7087/21 © 2021 IEEE Published by the IEEE Computer Society July 2021 1
JULY 2021 � VOLUME 7 � NUMBER 7
18
Learning From
38
Parallel and
44
Flexibility in
Prototypes Distributed Production Systems
Systems by Exploiting
Cyberphysical
Systems
Hardware
8 Long Tail Hardware: Turning Device Concepts Into Viable
Low Volume Products
STEVE HODGES AND NICHOLAS CHEN
Machine Learning
28 Monolithically Integrated RRAM- and CMOS-Based
In-Memory Computing Optimizations for Efficient
Deep Learning
SHIHUI YIN, YULHWA KIM, XU HAN, HUGH BARNABY, SHIMENG YU,
YANDONG LUO, WANGXIN HE, XIAOYU SUN, JAE-JOON KIM, AND
JAE-SUN SEO
Robotics
40 To Err is Human, to Forgive, AI
PHIL LAPLANTE AND BEN AMABA
Departments
4 Magazine Roundup
7 Editor’s Note: Designing Hardware—from Prototype to Product
58 Conference Calendar
T he IEEE Computer Society’s lineup of 12 peer-reviewed technical magazines covers cutting-edge topics rang-
ing from software design and computer graphics to Internet computing and security, from scientific appli-
cations and machine intelligence to visualization and microchip design. Here are highlights from recent issues.
data repositories: performance, says yes. This article from the Jan-
reliability, cost-effectiveness, col- uary–March 2021 issue of IEEE
Visualizing Logical laboration, reproducibility, cre- Annals of the History of Com-
Correlation in Trace Data ativity, downstream impacts, puting discusses what such arti-
for System Debugging and access and inclusion. These facts can teach us about modern
objectives motivate a set of best companies. IBM is used as a case
This article from the March 2021 practices for cloud-native data study because it is both iconic and
issue of Computer describes a repositories: analysis-ready data, emblematic of large-scale twenti-
mechanism that enables debug cloud-optimized (ARCO) formats, eth-century business. It is a com-
engineers to extract and visual- and loose coupling with data- pany that continues to operate
ize the logical correlation among proximate computing. The Pan- within a highly defined corporate
events and messages in system- geo Project has developed a pro- culture. The authors describe a
level trace data. It enables debug totype implementation of these selection of material objects and
engineers to focus only on trace principles using open-source sci- their role in IBM’s activities. To do
packets that are logically corre- entific Python tools. By providing that, they situate the objects into
lated to the issue under debug. an ARCO data catalog together Edgar Schein’s model of organi-
with on-demand, scalable distrib- zational culture, since his is one
uted computing, Pangeo enables of the most widely accepted con-
users to process big data at rates structs of corporate culture.
Cloud-Native Repositories exceeding 10 GB/s.
for Big Scientific Data
4 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
embodied sectoral trajectory dia- complicated structures to solve
gram design, a visualization design various kinds of problems con-
that incorporates a number of cerning money laundering in the The Xbox Series X
characteristics from Sankey dia- real world. System Architecture
grams, treemaps, and graphs, to
improve the readability and mini- The Xbox Series X console,
mize the negative impact of edge released in November 2020, con-
crossings that are common in tra- HateClassify: A Service tains a system on chip (SoC) cre-
ditional Sankey diagrams. Framework for Hate Speech ated in partnership with AMD. This
Identification on Social Media article from the March/April 2021
issue of IEEE Micro describes the
It is a challenge for existing architecture, including the intel-
An Efficient Solution to machine-learning approaches to ligence for input processing, ren-
Detect Common Topologies in differentiate hateful content from dering game graphics and audio,
Money Launderings Based on content that is merely offensive. managing storage, user services,
Coupling and Connection One reason for this low accuracy and security—all under a tiered
in hate detection is that these operating system.
Every money-laundering case techniques treat hate classifica-
has a unique structure in terms tion as a multiclass problem. In
of transactions. It is not suffi- this article from the January/
cient to detect suspicious behav- February 2021 issue of IEEE Inter- Toward Content-Driven
ior by just following the proba- net Computing, the authors pres- Intelligent Authoring of
bility theory, where usually the ent hate identification on social Mulsemedia Applications
thresholds are given by experts. media as a multilabel problem.
Since the crime of money launder- They propose a CNN-based ser- Synchronization of sensory effects
ing is more prevalent and sophis- vice framework called HateClas- with multimedia content is a non-
ticated nowadays, it will increase sify for labeling social media con- trivial and error-prone task that
the complexity of the detection if tent as hate speech, offensive, or can discourage authoring of mul-
the accounts with personal infor- non-offensive. Results demon- semedia applications. Although
mation are combined with the strate that the multiclass clas- there are authoring tools that per-
form of the transaction topology. sification accuracy for the CNN- form some automatic authoring
Hence, the graph topology analy- based approaches is competitive of sensory effect metadata, the
sis could be used for anti-money with and even higher than cer- analysis techniques that they use
laundering tools. This article from tain state-of-the-art classifiers. are not generally enough to iden-
the January/February 2021 issue The results show that by using tify complex components that
of IEEE Intelligent Systems pro- multilabel classification, instead may be related to sensory effects.
poses eight common topologies of multiclass classification, hate In this article from the January–
based on coupling and connec- speech detection is increased by March 2021 issue of IEEE Multi-
tion from simple to much more up to 20 percent. Media, the authors present a new
www.computer.org/computingedge 5
MAGAZINE ROUNDUP
method that allows for the semi- the same contexts using both a
automatic definition of sensory scripted and in-the-wild study.
effects in an authoring tool. They They then propose positive unla- Influence of Technological
outline a software component to beled context learning (PUCL), Resources on the
be integrated into authoring tools a method to transfer knowledge Development of
that uses content analysis assis- from highly accurate labels of the Mathematical Competence
tance to indicate moments of sen- scripted dataset to the less-accu- in High School
sory effects activation, according rate in-the-wild dataset.
to author preferences. The pro- The use of information and com-
posed method was implemented munication technologies in the
in the STEVE 2.0 authoring tool, process of learning through
and an evaluation was performed A Systems Approach Toward technological resources can be
to assess the precision of the gen- Addressing Anonymous strongly motivating for students.
erated sensory effects in compari- Abuses: Technical and The use of appropriate digital con-
son with human authoring. Policy Considerations tent through simulations and ani-
mations can facilitate the under-
Can we prevent the abuses of standing of complex content. In
anonymous communication net- this article from the March/April
works without affecting their abil- 2021 issue of IT Professional, the
Smartphone Health ity to enhance privacy and evade incidence of the use of techno-
Biomarkers: Positive censorship? The authors of this logical devices by students of the
Unlabeled Learning of In-the- article from the March/April 2021 mathematics subject in Second-
Wild Contexts issue of IEEE Security & Privacy ary Education in Madrid (Spain) is
evaluate approaches for balanc- presented. The sample was of 31
The DARPA-funded Warfighter ing the need for anonymity with students with a low level of com-
Analytics for Smartphone Health- the desire to mitigate anonymous petence in the subject. A quasi-
care (WASH) project is explor- abuses. experimental method of pre-test/
ing passive assessment methods post-test design was used through
using smartphone biomarkers and an experimental group and a con-
context-specific tests. The envi- trol group.
sioned context-specific assess- How Trans-Inclusive
ments require accurate recogni- Are Hackathons?
tion of specific smartphone user
contexts. Existing context data- Hackathons can be fun! However,
sets were either scripted or in for the transgender community
Join the IEEE
the wild. Scripted datasets have and other minorities, hackathons Computer
accurate context labels, but user can have an uncomfortable atmo- Society
behaviors are not realistic. In-the- sphere. In this article from the
computer.org/join
wild datasets have realistic user March/April 2021 issue of IEEE Soft-
behaviors but often have wrong or ware, the authors present a survey
missing labels. The authors of this of 44 LGBTQIA+ people who are
article from the January–March experienced in hackathons and
2021 issue of IEEE Pervasive Com- interviewed seven transgender
puting introduce a novel coinci- participants. The authors intro-
dent data-gathering study design duce five recommendations to
in which data were gathered for make hackathons more inclusive.
Designing Hardware—
from Prototype to Product
2469-7087/21 © 2021 IEEE Published by the IEEE Computer Society July 2021 7
DEPARTMENT: SPECIAL ISSUE SPOTLIGHT This article originally
appeared in
A
t a time when the technology industry is viable product. The challenge of this bottleneck, its
embracing powerful new algorithms and root causes, and the potential benefits of overcoming
cloud computing, continued innovation in it are the subject of this column.
hardware is essential. In addition to the growing stor-
age and computation requirements of data centers INTRODUCING THE LONG TAIL
and edge computers, hardware devices provide the Before examining the challenges of creating a via-
critical gateway through which our systems receive ble interactive or embedded hardware product, it is
input and provide output. Whether it is intentional insightful to understand how to characterize the suc-
user interaction, continuous context sensing, situated cess of different products within a market. A common
information display, environmental monitoring, or approach is to plot a graph of the sales volume of each
industrial control, we are more dependent on inter- different product in that market (on the y-axis) against
active and embedded hardware products than ever. product rank (on the x-axis). This is called a rank fre-
Indeed, as the Internet of Things grows, many predict quency distribution. Zipf's law 1 tells us that this dis-
a dramatic growth in both the number and type of tribution often follows an inverse power law, as illus-
such devices. A key factor in this growth is the ability trated in Figure 1. Such a distribution can be split into
of those working in hardware to develop innovative two parts: the “long tail” to the right represents a large
devices with new forms and functions. number of niche (sometimes called boutique or cus-
Hardware development can be split into two tom) items, each of which is sold in relatively small
phases: first, a period of ideation, prototyping and quantities; whereas the “head” at the left contains
design iteration leads to new device concepts; and just a few very popular items (the blockbusters), each
then fruitful concepts transition beyond the basic of which is sold in large volumes.
prototype. The latter phase typically involves creating Market dynamics—factors like customer demand,
hundreds or thousands of copies of a prototype— availability of supply, pricing, and competition—affect
either preproduction evaluation samples or a fully not only the total quantity of products sold but also
fledged low-volume product. The hardware device the shape of the distribution. In some markets, the
research community and the industry it serves have tail is particularly heavy, meaning that in aggregate it
developed many tools and techniques to aid in the amounts to a lot of units. In other markets, the tail is
ideation, prototyping, and design iteration phase truncated. A good example of a truncated market is
mentioned above. However, based on our first-hand the traditional movie industry. Here, there is a virtu-
experience coupled with the observation of others, ous cycle of positive feedback where established film
we frequently see a bottleneck in the subsequent studios with prearranged global theatre distribution
phase—the transition from a working prototype to a produce blockbusters almost as a matter of course.
This generates large revenues to invest in future
productions that are also likely to be successful—a
Digital Object Identifier 10.1109/MPRV.2019.2947966 process that economists call preferential attach-
Date of current version 21 January 2020 ment. However, at the other end of the spectrum
8 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
SPECIAL ISSUE SPOTLIGHT
www.computer.org/computingedge 9
SPECIAL ISSUE SPOTLIGHT
experience, knowledge, and contacts in order to move provides a second example of the difficulty of moving
more quickly while simultaneously reducing risk. from prototype to product. TriggerTrap's first hard-
It is worth noting that incubators typically pursue ware offering was based on an Arduino prototype
products with high growth potential—things that will and resulted in a successful Kickstarter campaign.
quickly move out of the long tail. Companies who want However, they experienced difficulties sourcing
to avoid the pressure that often follows VC invest- enough of the displays used in their prototype to meet
ment and grow a new business more organically can a production volume of nearly one thousand units.
employ the services of an external design service or The part was no longer available and TriggerTrap had
consultancy in order to access product development to convince the display manufacturer to instigate a
expertise. Companies such as Dragon Innovation and special low-volume production run before they could
PCH International specialize in enabling the prototype fulfil their orders.10 TriggerTrap's second hardware
to production transition for electronic products. product—the Ada—also resulted in success on Kick-
starter, raising £290,000. However, the company was
BUT HARDWARE IS STILL HARD unable to transition from their prototype and failed
The collective benefits of online storefronts, accessi- to deliver any Ada products. Although they brought in
ble and powerful design tools, crowdfunding, incuba- expertise from external consultancies, they still made
tors, consultancies, and next-day delivery networks costly mistakes and the consultancy fees were an
all reduce cost and mitigate risk for those seeking to additional drain on their resources.11
bring a new hardware product to market. But evidence Central Standard Timing and TriggerTrap both
suggests that they are often not enough. The flip-side failed due to difficulties navigating the transition from
of preferential attachment is that nascent devices prototype to product. They leveraged many of the
often face a vicious circle. To be successful they must mechanisms previously described—such as powerful
combine significant utility with compelling user expe- design tools, online storefronts, crowdfunding and
rience, while simultaneously being robust and reli- experienced professional design, and manufacturing
able in operation. Meeting these goals requires a large partners—but nonetheless they still underestimated
design and engineering investment, both for the prod- the cost and complexity of transitioning from a refined
uct itself and for its manufacturing process—and that prototype to a product that could be manufactured in
is hard to justify before a product is successful. As a volumes of hundreds to thousands.
result, there are many instances where new consumer Of course, an experienced team with a track record
hardware products fail. of hardware product development is already well
One example comes from Central Standard Tim- versed in the transition from prototype to product.
ing, a two-person start-up that designed the world's But even then, it is still possible to underestimate the
thinnest watch. Based on a sophisticated working pro- scale of the challenges involved. Our final example
totype, Central Standard Timing had tremendous suc- comes from SenseCam, which started as a wearable
cess on Kickstarter—they raised over a million dollars camera research project12 before being productized by
from backers who paid either $99 or $129 for a watch. In an established device manufacturer. Despite the com-
moving from prototype to product, they chose to part- pany's experience with hardware manufacture, they
ner with one of the world's most experienced electron- ultimately found the vicious circle too difficult to over-
ics manufacturing partners. But ultimately, they were come. The first and second versions of the SenseCam
unable to create a reliable production process—less product (the Revue and Autographer, respectively)
than ten thousand units was a small volume for their successfully sold in modest volumes to researchers,
manufacturer, and ultimately the per-unit cost of the clinicians, and enthusiasts. But as the product design
watch was rumored to be $260.9 As a result, Central evolved on a trajectory toward a compelling and com-
Standard Timing were not able to deliver the product petitively priced consumer product, it became clear
to their backers and ultimately ceased operations. that an investment of tens of millions of dollars was
TriggerTrap, a company that manufactured devices necessary to reach sufficient economies of scale.13
to allow SLR cameras to be triggered externally, This level of investment was ultimately not justified
www.computer.org/computingedge 11
SPECIAL ISSUE SPOTLIGHT
given the risk inherent in a new product category such second, many of these activities are unfamiliar to
as a wearable stills camera, and production ceased. those steeped in the software-side of technology.
The replication challenge does not only apply
THE REPLICATION CHALLENGE to high production volumes—in fact as volumes
We believe that many of the difficulties in creating a increase beyond ten thousand units a year many
new hardware product, as encountered in the exam- well-established manufacturing processes that lever-
ples above, stem from a fundamental challenge. Unlike age economies of scale become viable, so the cost of
digital products which can be replicated in a sim- the above activities is more easily absorbed. Instead,
ple way requiring almost no resource and resulting in replication is particularly challenging at lower volumes.
perfect copies, the process of replicating a physical For consumer products, the difficulties typically start
device is complex and incurs cost, and no-matter how at around one hundred pieces per year when the same
much is spent on manufacturing, the copies are subtly ad-hoc craft production techniques used to make
different. We call this “the replication challenge.” prototypes are no longer sufficient. A compounding
Compared to a smartphone app that can be factor with low volume manufacturing is its natural
released to an audience of millions of people when reliance on batch production, which introduces the
development and feature testing are complete, scal- further challenge of periodically reinstigating the
ing a hardware device from “I have one that works” to entire manufacturing process and supply chain.
“anyone can buy one”—i.e., transitioning from a work- As a result, our sense is that it is increasingly rare
ing prototype to a viable product—is much harder. for low volume consumer devices to be viable in the
Although this difference between software and hard- market. While Zipf's Law predicts a long tail of demand
ware productization is easy to describe, the number for niche hardware, the economics of production con-
and complexity of steps required to take a device to strain the economic viability of such products, and the
production is much harder to comprehend until expe- tail is truncated. As a result, consumer choice is limited
rienced first-hand. Essential activities associated with to a relatively small number of high-volume devices.
the replication challenge8 include: These are typically made by large companies who can
justify the sufficient resource required to bring them
›› finding reliable suppliers for all components and to market and sustain them, and often only when they
materials; amplify or otherwise complement an existing product
›› accommodating component tolerances; line.7 In this environment, the recent successes in the
›› designing and building the necessary tooling; interactive and embedded hardware space include
›› building an efficient and reliable manufacturing the well-known smartwatches and voice assistants
process; from major companies. These have created enough
›› controlling and accommodating manufacturing momentum in the market to transition from vicious
variability; to virtuous positive feedback and generate enough
›› selecting and managing manufacturing revenue to warrant on-going refinement.
partners;
›› instigating and maintaining manufacturing CHARACTERISTICS OF LONG TAIL
quality control; and HARDWARE SUCCESSES
›› adapting to changes in pricing and availability of Of course, there are examples of commercially via-
components and services. ble low volume consumer devices. Armed with a bet-
ter understanding of what is necessary to transform a
These activities are by no means unique to elec- hardware prototype into a low volume product—and
tronic device production—they apply to the produc- some of the pitfalls to look out for—it is interesting to
tion of nearly all physical products. However, they examine some of the characteristics of these success-
are worth highlighting for two reasons: first, many ful products.
of them involve more complexity and cost for elec- Like SenseCam, Circuit Stickers14 started life
tronic devices than for other physical products; and in research and quickly transitioned into a product
through the efforts of Chibitronics, a small self-funded the tooling cost of injection molding with its relatively
start-up. From the outset, Chibitronics understood low production volume.11
the importance of reliable and cost-effective sup- Central Standard Timing did not require injec-
ply and manufacturing, recognizing that the design tion molding for its product but faced a different
complexity of manufacturing tooling can out-weigh challenge. In order to deliver one of the thinnest
that of the product itself.15 They had realistic expecta- electronic devices ever produced, the company
tions of production costs and were able to fulfill their needed to use nonstandard electronics assembly
crowd-funding obligations. techniques. Unlike PCB assembly, which is still cost
Subsequent to this, Chibitronics has successfully effective even when scaled down to low volumes, the
established a small range of niche products that sit direct chip-to-flex process required costly tooling
in the long tail. In doing so, the company has started and introduced nonstandard steps in the manufac-
to turn positive feedback to its advantage: it is now turing process, making it error prone and unreliable.
able to amortize investments creating relation- Relying on leading-edge manufacturing technology
ships with suppliers, manufacturing partners, and in this way is particularly risky for start-ups.13 In con-
distributors, across multiple products. Although no trast, the established and well-understood manu-
individual product is manufactured in huge numbers, facturing process for a standard PCB bare board
the aggregate volume across multiple products is product results in few defects and can be readily
large enough to negotiate better pricing and attract transferred between manufacturers, stimulating
more commitment from component suppliers and healthy competition.
manufacturing partners.
Improving efficiency across multiple products, as UNLOCKING THE LONG TAIL:
compared with the efficiency of manufacturing any A CALL TO ACTION
one in isolation, is termed “economy of scope.” While Based on our analysis of some recent successes and
economies of scale are characterized by volume, failures in taking new hardware concepts to market,
economies of scope are efficiencies formed by variety. we do not believe that turning an idea for a new device
The hardware crowd-funding specialist Crowd Supply into a working prototype is a limiting factor in new
also leverages economies of scope by drawing on a product introduction. Instead, we believe that the bot-
specific set of partners to manufacture many of the tleneck is the transition from a working prototype to a
products in its portfolio. In a similar vein, Crowd Sup- viable product. Therefore, we encourage those work-
ply takes advantage of its partnership with Mouser, a ing in the field of device hardware to join us in tack-
large electronic component distributor, to secure reli- ling this transition. Collectively, we would like to work
able and competitively-priced supply. toward three broad goals.
A characteristic of Crowd Supply's wide range of
successful products is that many take the form of a Improved Teaching Materials
“bare board”—a PCB that has components soldered and Education Programs
to it but comes with no enclosure. This is perfect for We need richer learning materials regarding the pro-
Crowd Supply's target audience of hardware devel- ductization process: new ways to share the knowledge
opers and hobbyists. It also avoids the high up-front that today largely resides in the design consultancies
cost often associated with designing and manufac- and large companies with the first-hand experience of
turing tooling for an enclosure, which can be thou- device manufacture. Fortunately, there are already a
sands, if not tens of thousands, of dollars for each few books that cover the topics raised in this paper;
plastic piece. In contrast, TriggerTrap, which needed we encourage those interested to read “The Hardware
an enclosure because the company was targeting a Hacker” by Andrew ‘bunnie’ Huang,15 “Prototype to
different audience, ran into difficulties transitioning Product: A Practical Guide for Getting to Market” by
from the rapid prototyping used to create its pro- Andrew Cohen8 and “IoT hardware from prototype to
totypes to manufacturing processes suitable for a production” by Richard Marshall, Lawrence Archard,
product. Ultimately, the company could not reconcile and Steve Hodges.16
www.computer.org/computingedge 13
SPECIAL ISSUE SPOTLIGHT
We would like to see these books complemented need to amortize up-front development and tooling
by other learning materials. For example, curated costs across fewer units. Similarly, batch manufactur-
virtual tours of device manufacturing facilities would ing will never be as efficient as continuous production
provide valuable insights to those who cannot visit because of the fixed costs associated with changing
in person. We also encourage universities to provide a production line from one product to the next. How-
more coverage of topics relating to the replication ever, we imagine new tools and processes that make
challenge in undergraduate- and graduate-level level better use of economies of scope by amortizing nonre-
courses and in professional development programs. curring costs across multiple products.
Take the current difficulty of manufacturing
Stronger Communities and Tighter high-quality enclosures in low volumes as a spe-
Integration Between Partners cific example. Perhaps this could be addressed by a
We see an opportunity to extend today's established modular approach that combines a standard library
online communities and professional networks in a of injection-molded parts in a novel way to create a
way that allows newcomers to the device hardware finished enclosure. Alternatively, it may be possible
space to engage with each other and with established for designers of new products to reuse pre-existing
players so that they can more easily form the part- injection-molding tooling, an approach that Seeed
nerships that are vital to the delivery of a successful Studio calls “design from manufacture.” Perhaps the
product. same reuse philosophy could be used to reduce tool-
We imagine that these partnerships will increas- ing costs in PCB manufacturing tests: the custom
ingly span the globe. In the short term, we would like test fixture—or jig—typically required for PCB tests
to streamline access to resources in today's leading could be based on standard hardware and software
electronics manufacturing regions. For example, the components.
geographical proximity of capital equipment, skilled Of course, the ideas above are largely speculative.
and unskilled labor, and raw materials in locations They are included simply to illustrate the potential for
such as Shenzhen provides unrivaled economies of innovative manufacturing solutions to address the
scope. Indeed, much of the Shenzhen ecosystem replication challenges.
naturally lends itself to batch production: there are
thousands of small factories specializing in different OUTLOOK
aspects of manufacturing from injection molding to In this paper, we have argued that the innovations
PCB assembly. that have enabled a long tail of products in several
At the same time, we would like to learn from industries can be leveraged to do the same for hard-
existing electronics hubs so that we can share best ware devices. While we see these established innova-
practices. Exchanges like the annual trip the MIT tions as necessary, in the case of hardware, they are
Media Lab organizes to Shenzhen are one example of insufficient. Devices bring additional complexities in
how this might be done. Improved communication and comparison with products that can be distributed dig-
remote collaboration could also help bridge the cul- itally such as apps, books, and movies. One key differ-
tural, geographical, and language barriers. Eventually, ence is the replication challenge, especially at low vol-
we imagine that additional electronics manufacturing umes where economies of scale do not readily apply.
hubs will emerge around the world. It is certainly possible to be successful with a niche
hardware product, in the same way that niche apps,
New Manufacturing Solutions books, and movies have been possible since the incep-
for Small Batches tion of their respective markets. However, as things
Finally, we believe there is an opportunity to develop stand, low-volume manufacturing is hard and requires
new hardware manufacturing solutions optimized for tough tradeoffs between complexity, refinement, and
low-volume production, for batch sizes of hundreds price. As a result, it is all too easy to fail. We believe
to thousands of units. Of course, manufacturing in that a sustained focus on the replication challenge can
low volumes will always incur a premium due to the reduce this complexity and risk.
Our motivation is simple: we want to change the Jan Kamps, Bolt, San Francisco; Dave Vondle, Cen-
dynamics in the electronic device market to enable a tral Standard Timing, Chicago; Bunnie Huang and
diverse ecosystem of products that do not need to sell Jie Qi, Chibitronics, Singapore; Andrew Seddon, Cir-
in tens or hundreds of thousands of units in order to be cuit Hub, London; Jewel Deng, Coolkit, Shenzhen;
viable. Such cost-effective, low volume, batch manu- Josh Lifton and Darrell Rossman, Crowd Supply, Port-
facturing would benefit many parties across many land; Brooks Vigen, Digikey; Alex Gluhak and Ran
domains. Researchers developing custom devices Katzir, Digital Catapult, London; Gus Issa, GHI Elec-
could deploy them more widely. Start-ups looking to tronics, Detroit; Ji Ke and Mike Reed, Hax, Shen-
grow a sizeable hardware business could get to mar- zhen; Jerry Shi, Itead, Shenzhen; Eric Klein, Lemnos
ket with less risk, giving them headroom for iteration Labs, San Francisco; Liya Du, Microsoft, Shanghai;
in search of product-market fit. Small companies could Anita Rao and Tarun Singh, Microsoft, Redmond; Phil
manage a portfolio of niche, but viable, hardware Eade, Microsoft, Cambridge; Gibson Guo, Zoe He and
products. Large companies could be more agile and Nicolas Schmitt, Microsoft, Shenzhen; MJ Shen, MJ
less conservative, perhaps even trialing innovative Maker, Shenzhen; Zach Fredin, NeuroTinker, Minne-
hardware products to learn first-hand how they fare in apolis; Liam Casey and Alan Cuddihy, PCH Interna-
the market. tional, Shenzhen; Simon Randall, Pimloc, London;
We welcome feedback from the research commu- Fraser Forbes and Jonathan Smith, Premier Farnell,
nity on the ideas presented here and encourage others Leeds; Joey Jiang, Ivy Li, Albert Miao, Eric Pan and
to complement our ideas by considering how their work Shuyang Zhou, Seeed Studio, Shenzhen; Nick Bolton,
might support the growth of long-tail hardware. We Vicon, Oxford. They would also like to thank Oliver
will also continue to engage in dialogue with practitio- Amft, James Devine, Rushil Khurana, Michal Moskal,
ners in the device industry. Ultimately, a focus on long and Nilay Patel for comments on earlier drafts of this
tail hardware can overcome the tyranny of positive column and Albrecht Schmidt for his enthusiasm to
feedback that currently constrains innovation, thus see these ideas come together.
creating a greater variety of viable hardware products
that address markets that are currently underserved, REFERENCES
and meeting the world's growing demand for interac- 1. Wikipedia. “Zipf’s law.” Accessed: Nov. 2019. [Online].
tive and embedded devices. Available: https://en.wikipedia.org/wiki/Zipf%27s_law
2. J. M. Perloff, Microeconomics, 8th ed. London, U.K.:
IN MEMORIAM Pearson, 2018.
This article is dedicated to the memory of Gavin Zhao 3. C. Anderson, The Long Tail: How Endless Choice is
who lost his battle with cancer in August 2019. Gavin Creating Unlimited Demand. New York, USA: Hachette
was a manufacturing engineer at electronics man- Books, 2008, ISBN 978-1401309664.
ufacturing company AQS, where he helped a great 4. N. Villar, J. Scott, S. Hodges, K. Hammil, and C. Miller,
many people navigate the difficulties of low volume “NET Gadgeteer: A platform for custom devices,” in
hardware manufacturing in China. In 2017, he was Proc. Pervasive Comput., 2012, pp. 216–233.
awarded an MIT Media Lab Director's Fellowship in 5. S. Hodges, N. Villar, J. Scott, and A. Schmidt, “A new era
recognition of his work opening the Shenzhen eco- for ubicomp development,” IEEE Pervasive Comput.,
system up to others. Many conversations with Gavin vol. 11, no. 1, pp. 5–9, Jan.-Mar. 2012. doi: 10.1109
helped shape our thinking around long tail hardware. /MPRV.2012.1.
6. J.-Y. Lo, et al., “AutoFritz: Autocomplete for prototyping
ACKNOWLEDGMENTS virtual breadboard circuits,” in Proc. CHI Conf. Hum.
The authors would like to thank the many people who Factors Comput. Syst., 2019, Paper 403. doi: 10.1145
have entertained our questions and ideas about elec- /3290605.3300633.
tronics manufacturing over the years, and ultimately 7. F. Manjoo, The Gadget Apocalypse Is Upon Us. New
informed the ideas presented in this paper. Partic- York Times, New York, NY, USA, Dec. 7 2016. [Online].
ular thanks go to: Gavin Zhao, AQS, Shenzhen; Haje Available: https://www.nytimes.com/2016/12/07
www.computer.org/computingedge 15
SPECIAL ISSUE SPOTLIGHT
/technology/personaltech/the-gadget-apocalypse-is https://medium.com/swlh/do-not-apply-if-you-want
-upon-us.html -an-easy-life-403e77a4a38f
8. A. Cohen, Prototype to Product: A Practical Guide 14. S. Hodges, et al., “Circuit stickers: Peel-and-stick
for Getting to Market. Sebastopol, CA, USA: O’Reilly construction of interactive electronic prototypes,” in
Media, Aug. 2015. Proc. SIGCHI Conf. Hum. Factors Comput. Syst., 2014,
9. S. McGlaun, “CST-01 watch project may be dead”, pp. 1743–1746. doi: 10.1145/2556288.2557150.
SlashGear, Jun. 23 2015. [Online]. Available: https: 15. Andrew “bunnie” Huang, “The Hardware Hacker:
//www.slashgear.com/cst-01-watch-project-may-be Adventures in Making and Breaking Hardware”, 2017.
-dead-23390137/ 16. R. Marshall, L. Archard, and S. Hodges, IoT hardware
10. H. J. Kamps, “Hardware is Hard: Getting a Kickstarter from prototype to production, 2019. [Online]. Available:
project out the door”, Medium Article, Jan. 22, 2015. https://aka.ms/proto-to-product
[Online]. Available: https://medium.com/triggertrap
-playbook/hardware-is-hard-getting-a-kickstarter
-project-shipped-59c9596bdd7f STEVE HODGES is a senior principal researcher at Micro-
11. H. J. Kamps, “How Triggertrap’s $500k Kickstarter soft, where he builds new embedded and interactive systems
campaign crashed and burned”, Medium Article, Mar. 2, and devices. He received a PhD in computer vision and robot-
2015. [Online]. Available: https://medium.com/@Haje ics from Cambridge University. Contact him at: shodges
/how-a-half-million-dollar-kickstarter-project-can @microsoft.com.
-crash-and-burn-5482d7d33ee1
12. S. Hodges, et al., “SenseCam: A retrospective memory NICHOLAS CHEN is a senior program manager at Microsoft,
aid,” UbiComp, 2006, pp. 177–193. where he is building the hardware ecosystem for Azure
13. S. Randall, “Hacking the consumer electronics hard- Sphere. He received his PhD from the University of Maryland
ware start-up,” Medium, Sep. 2018. [Online]. Available: at College Park. Contact him at: nchen@microsoft.com.
GET PUBLISHED
www.computer.org/cfp
C
omputer hardware development often involves hardware, the scope of the demonstration, nor the
a succession of hardware prototypes. These reaction of the audience to the breakthrough concept
prototypes are often discarded once their of the portable computer for personal use. Another
functionality is tested, performance measured, and question that could not be fully answered before the
their faults detected and analyzed. Occasionally, resurfacing of the prototypes was how uncertainty in
functional prototypes are used for a short while the company's decision making impacted its shaping
for demonstration purposes during products' prean- and marketing of personal computing. In this article, I
nouncements or unveiling to attract the attention of describe how the analysis of the MCM/70 prototypes
investors and technology commentators. And this is allowed to answer these questions more fully.
where the life cycle of prototyping typically ends.
Fortunately, some computer prototypes survive EARLY MCM/70 PROTOTYPES
and end up in museums where they are preserved for MCM built several prototypes of the MCM/70 before
research as they may still hide the seeds of the suc- the computer's manufacturing began in mid-1974.
cess or failure of both the final products and the firms All of them have their roots in the Key-Cassette con-
that embarked on constructing them, of technologi- cept developed by the company's co-founder and
cal breakthroughs and paradigm shifts that were yet first president Mers Kutt. A drawing of it can be found
to come. in design notes that Kutt kept from late 1971 until
York University Computer Museum in Toronto has mid-1974 (see Figure 1). The one-page sketch depicted
several prototypes of the MCM/70 microcomputer, a portable computing device with built-in keyboard,
which was possibly the earliest computer mass one-line display, cassette storage, and acoustic cou-
manufactured for personal use. The MCM/70 was pler with built-in modem for communication over
designed by a Toronto-based electronics company phone lines. In addition, the Key-Cassette was to be
Micro Computer Machines (MCM) in the early 1970s. programmed in the APL language. The Key-Cassette
I have written about the MCM/70 before.1 Yet, some concept showed several key aspects of personal com-
key questions concerning the computer's design and puting philosophy that MCM would be developing in
introduction to the market remained unanswered until the coming years—an individual-focused complete
additional prototypes of the computer were acquired computing environment that was easy to learn and
by the museum and analyzed. interact with.
The computer was publicly demonstrated for The first attempt at implementing the core
the first time during the APL V conference held in Key-Cassette features was a single-board computer
Toronto on May 15–18, 1973. Before the arrival of the put together by MCM's chief hardware engineer Jose
prototypes at the museum, little was known about this Laraya in mid-1972. His computer utilized an Intel
historic presentation. Occasional remarks about the SIM8-01 simulation board which the semiconduc-
demo buried in oral histories gathered by the museum tor company offered to electronics engineers for
describe with confidence neither the demonstrated experimentation with its novel microprocessor and
Eprom devices. Although the Sim8-01 architecture
was inadequate to achieve MCM's design objectives,
Digital Object Identifier 10.1109/MAHC.2020.2987408 this first prototype confirmed that building a versatile
Date of current version 29 May 2020. microprocessor-based computer was feasible.2
18 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
ANECDOTES
FIGURE 1. Drawing of the Key-Cassette by M. Kutt (1972). Source: York University Computer Museum.
Not much is known about the next, rack-mounted MCM built the first functional MCM/70 demon-
engineering prototype constructed by Laraya and his strator in early 1973, in time for the computer's public
team soon after the SIM8-01-based prototype was presentation in May during the APL V conference in
declared a dead end. It was sufficiently advanced to be Toronto. The unveiling of the MCM computer at the
demonstrated to shareholders as a proof of concept conference was a landmark event in the history of
on November 11, 1972. personal computing because it showed for the first
At the end of 1972, the main design issue faced by time that a practical, portable, general-purpose com-
the company was an insufficiency of memory: the Intel puter designed for personal use and programmed in
8008 microprocessor at the heart of the computer a high-level language could be economically manu-
could directly address only 16KB of memory while the factured.3 Unfortunately, not much is known about
APL interpreter alone called for much more than that. that demonstration. Only a brief statement about the
Furthermore, the MCM engineers had to find a way showing of “the first stand-alone APL microcomputer
to “compact” prototype's rack-mounted hardware to which elicited a great deal of interest” can be found
fit it into a small enclosure planned for the portable in L.B. Moore's conference report published in APL
personal computer. Quote-Quad.4 Furthermore, none of the former MCM
employees interviewed by me could describe the
PC DEMONSTRATED demonstrated hardware or software with confidence.
From the early stages of the MCM/70 design process, That changed in 2017 when York University Computer
MCM used the computer's prototypes as demonstra- Museum obtained one of the MCM/70's prototypes
tors. In April 1972, in his corporate notes, Kutt expressed and a portfolio of early MCM/70 design documents.
with some urgency the need to develop a demonstra- When analyzed, these objects helped not only to iden-
tor by early June 1972. Under the heading “Shortcut tify the demonstrated prototype but also to determine,
to Demo,” he considered packing a power supply and in general terms, the presentation's content.
a printed circuit board (PCB) with some MCM/70 cir- Among the donated documents, there are two
cuitry on it into a standard desktop calculator case to drawings of PCB layouts. The first of these drawings
have something to show to the potential investors. In is dated May 9, 1973, and titled “MCM 70 PROTOTYPE.”
the end, MCM came up only with a cardboard mockup The second drawing, dated June 26, 1973, has refer-
which, as it turned out, sufficed to secure venture ence to neither a prototype name nor a revision ver-
capital from a law firm in downtown Toronto. sion. Both drawings define single-board computers,
www.computer.org/computingedge 19
ANECDOTES
www.computer.org/computingedge 21
ANECDOTES
www.computer.org/computingedge 23
ANECDOTES
stored in display memory) before eventually clearing wanted to draw attention to a new computing para-
everything and showing the result of the computa- digm and to create its own unique identity.
tion. Therefore, having a single line display built-in and In his 1965 article “The Great Gizmo,” Reyner Ban-
an external CRT terminal as an option seemed like a ham characterized a gizmo as
reasonable solution. But the CRT option disappeared
from MCM's 1974 promotional literature and was not […] a small self-contained unit of high performance
discussed (as a work in progress) in any surviving min- in relation to its size and cost, whose function
utes from MCM managers’ meetings. It would not be is to transform some undifferentiated set of
until 1976 that MCM finally introduced such a display circumstances to a condition nearer human
for its new computer—the MCM/800. This might sug- desires. The minimum of skills is required in its
gest that the announcement of a CRT display as an installation and use, and it is independent of any
“available” option made three years earlier was, to put physical or social infrastructure beyond that
it mildly, a careless instance of the company “snowing” by which it may be ordered from a catalogue
customers and shareholders with options that were and delivered to its prospective user.17
only meant to enhance the MCM/70's image. Or is it?
To answer this question, I analyzed the ROM boards As early as the MCM/70's prototyping stage, the
inside the MCM/70, Executive-E, and MCM/800 company's description of the computer provided
computers. The inspection of these boards showed an almost undeviating instance of Banham's char-
that the same three ROM sockets (out of 16) were left acterization of a gizmo. The Key-Cassette concept
unpopulated in the MCM/70's and the Executive-E was a gizmo (although only on paper), and so was the
while similar boards inside the MCM/800s had all Executive. The design of the wide-case prototype
16 ROM chips installed. It turns out that these three accomplished not only the requirement of hosting
empty sockets were reserved for correcting and future all the necessary hardware in a single box but also of
expansion of the MCM/70's systems software, includ- finding the right balance between stylish eye-catching
ing the addition of CRT support. One may therefore design, functionality, and practicality. Two years of
conclude that financial or other corporate difficulties design experiments culminated in the 1974-release
that MCM experienced in 1974 forced the company to of the MCM/70's production model which inherited
drop several options, including an inexpensive printer the all-in-one concept from the Key-Cassette and
and a CRT display, in order to concentrate on the the Executive, and a defining stylish design from the
MCM/70's prompt introduction to the market. How- wide-case prototype. In the late 1970s, the nascent
ever, as evident from the MCM/70's ROM board, some home computer industry would follow in the footsteps
necessary hardware provisions for such options were of MCM choosing appealing, dashing designs over the
made at the start. industrial look of minicomputers.
www.computer.org/computingedge 25
ANECDOTES
Micral was not intended to be a personal computer: 11. The Executive was donated to York University
“MICRAL’s principal use is in process control. It does Computer Museum in 2017.
not aim to be an universal mini-computer,” Micral 12. The date codes found on its ICs, suggest that the
User’s Manual, R2E, Jan. 1974, p. 66. computer was put together around 1976. Because
4. L.B. Moore, A report of APL V Conference, APL Edwards left MCM at the end of 1975, he continued the
Quote-Quad, Jun. 1973, pp. 20–21. design after leaving MCM.
5. The documents in question are dated May 4 and Aug. 13. Accessed on: Mar. 2020. [Online]. Available: https:
24, 1973. York University Computer Museum, MCM //airandspace.si.edu/node/35305
Collection. 14. MCM/70 pre-announcement shareholder documents,
6. Author interview with Gord Ramer, Jan. 15, 2003. Aug. 24, 1973. York University Computer Museum,
7. A large portion of the computer’s 2 KB of RAM was MCM collection.
used for display, APL execution stack, and a variety of 15. This was confirmed using the MCM/70 emulator
tables required by the computer’s operating system. developed at York University Computer Museum and
Interfacing a cassette drive with a computer would which uses almost identical systems software to that
require an allocation of additional RAM to store found in the Executive’s ROMs.
information about the interfaced device and the tape’s 16. MCM Newsletter, no. 1, 1976, pp. 2 and 3. The MCP-132
content leaving little space for anything else. printer plotter was sold by MCM for $4500 which was
8. I have encountered no evidence for the design of the almost the same price as the MCM/70 in its basic
IBM 5100 being, in any way, influenced by the MCM/70. configuration ($4970).
9. J. Tuttle, private communication, Jan. 2020. 17. R. Banham, The Great Gizmo, Ind. Des., vol. 12, pp.
10. Politiken, Aug. 23, 1973, pp. 1 and 20. 48–59, 1965.
ADVERTISER INFORMATION
Midwest US:
Advertising Sales Contacts Dave Jones
Email: djones@computer.org
Mid-Atlantic US: Phone: +1 708-442-5633 Fax: +1 888-886-8599
Dawn Scoda Cell: +1 708-624-9901
Email: dscoda@computer.org
Phone: +1 732-772-0160
Cell: +1 732-685-6068 | Fax: +1 732-772-0164 Jobs Board (West Coast and Asia), Classified Line Ads
Northeast, Europe, the Middle East and Africa: Jobs Board (East Coast and Europe), SE Radio Podcast
David Schissler
Email: d.schissler@computer.org Marie Thompson
Phone: +1 508-394-4026 Email: marie.thompson@computer.org
Phone: +1 714-813-5094
Resistive RAM (RRAM) has been presented as a promising memory technology toward deep
neural network (DNN) hardware design, with nonvolatility, high density, high ON/OFF ratio,
and compatibility with logic process. However, prior RRAM works for DNNs have shown
limitations on parallelism for in-memory computing, array efficiency with large peripheral
circuits, multilevel analog operation, and demonstration of monolithic integration. In this
article, we propose circuit-/device-level optimizations to improve the energy and density of
RRAM-based in-memory computing architectures. We report experimental results based
on prototype chip design of 128 × 64 RRAM arrays and CMOS peripheral circuits, where
RRAM devices are monolithically integrated in a commercial 90-nm CMOS technology. We
demonstrate the CMOS peripheral circuit optimization using input-splitting scheme and
investigate the implication of higher low resistance state on energy efficiency and robustness.
Employing the proposed techniques, we demonstrate RRAM-based in-memory computing
with up to 116.0 TOPS/W energy efficiency and 84.2% CIFAR-10 accuracy. Furthermore, we
investigate four-level programming with single RRAM device, and report the system-level
performance and DNN accuracy results using circuit-level benchmark simulator NeuroSim.
D
eep learning algorithms have shown tre- conventional memory technologies (e.g., CMOS scal-
mendous success in recent years1 for vari- ing) for hardware accelerator designs.2
ous applications including computer vision, To bridge this gap and largely improve the
speech recognition, language translation, etc. memory energy efficiency, in-memory computing
However, an increasing gap exists between the (IMC) has been proposed in recent years across
exponential network size growth of state-of-the-art different memory technologies. 3–9 IMC typically
DNNs (e.g., tens of millions of parameters) and the asserts multiple or all rows simultaneously to perform
incremental energy-efficiency improvement of multiply-and-accumulate (MAC) computations of
DNNs inside the memory, e.g., along the bitlines with
analog current/voltage.
Digital Object Identifier 10.1109/MM.2019.2943047 SRAM-based IMC works3–5 demonstrate high-
Date of current version 8 November 2019. energy efficiency, however typically such IMC SRAM
28 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
EXPERT OPINION
bitcells include a few additional transistors, which was employed at the RRAM array periphery, degrad-
degrades density and leakage. In addition, custom ing array efficiency and energy consumption. In the
peripheral circuits such as analog-to-digital convert- article by Shulaker et al.,10 a monolithically integrated
ers (ADCs) incur lower array efficiency. Since one 3-D nanosystem has been presented, which connects
SRAM cell occupies 150–300 F2 (F is the feature size CMOS transistors, carbon nanotube transistors
of a technology node), on-chip SRAMs cannot hold all (CNFET), and RRAM devices in different layers with
weights of DNNs. Therefore, CMOS hardware acceler- inter-layer vias. A small-scale support vector machine
ators inevitably involve off-chip DRAMs at the system accelerator has been demonstrated, but applicabil-
level, which results in high energy consumption. ity for larger DNNs has not been shown. While there
Consequently, a number of works have proposed to has been considerable improvement in the CNFET
bring computation closer to the DRAM. DRAM-based
near-memory computing proposes to add logic in the
DRAM die, however logic capability in the optimized BOTH SRAM AND DRAM ARE VOLATILE
DRAM process is relatively limited. On the other hand, AND HAVE INCREASING CONCERNS
DRAM-based IMC is more challenging, because the ON LEAKAGE POWER IN SCALED
conventional 1T1C DRAM read is destructive, and thus CMOS NODES. TO THAT END, RESISTIVE
requires additional overheads such as data copy and NONVOLATILE MEMORY (NVM) HAS
write back.6 DRAM cell designs with nondestructive EMERGED AS A GOOD ALTERNATIVE
read have been proposed (e.g., 2T1C, 3T1C),7 but they DUE TO HIGH DENSITY, NONVOLATILITY,
directly degrade density, which is especially disadvan- AND NONDESTRUCTIVE READ. AMONG
tageous for area-efficient DRAMs. SEVERAL WELL-KNOWN CANDIDATES
In addition, both SRAM and DRAM are volatile INCLUDING PHASE CHANGE MEMORY
and have increasing concerns on leakage power in (PCM), RESISTIVE RAM (RRAM), AND
scaled CMOS nodes. To that end, resistive nonvolatile MAG- NETIC RAM (MRAM), THIS ARTICLE
memory (NVM) has emerged as a good alternative FOCUSES ON RRAM OWING TO ITS
due to high density, nonvolatility, and nondestructive HIGH ON/OFF RATIO, MULTILEVEL
read. Among several well-known candidates including PROGRAMMABILITY, AND MONOLITHIC
INTEGRATION CAPABILITY.
phase change memory (PCM), resistive RAM (RRAM),
and magnetic RAM (MRAM), this article focuses on
RRAM owing to its high ON/OFF ratio, multilevel pro-
grammability, and monolithic integration capability. integration with CMOS or RRAM, in terms of manufac-
There has been only a few works that have demon- turability and yield, integration of RRAM with CMOS in
strated monolithically integrated RRAM and CMOS for commercial technology is much superior.11
DNN hardware design.8–10 In this article, we address such limitations in
Mochida et al.8 designed 180-nm and 40-nm pro- RRAM-based IMC toward energy-/area-efficient and
totype chips with embedded RRAM arrays. However, accurate DNN hardware design, using monolithic
only simple multilayer percepton (MLP) has been dem- integration of RRAM and CMOS. In particular, we
onstrated that resulted in low-inference accuracy of investigate three different device/circuit techniques:
90.8% for MNIST data set. An RRAM macrointegrated 1) modulating resistance values for binary RRAM
with multilevel sense amplifiers (SAs) in 55-nm CMOS devices; 2) peripheral circuit minimization with
logic process was recently reported by Xue et al.,9 input-splitting technique; and 3) multilevel RRAM pro-
targeting convolutional neural networks (CNNs). How- gramming. We report measurement results of 90-nm
ever, a relatively low CNN accuracy of 81.83% accuracy CMOS prototype chip in monolithically integrated
for CIFAR-10 data set was achieved with binary/ter- RRAM arrays, which executes IMC operations of
nary precision. Moreover, only nine WLs are asserted CNNs for CIFAR-10 data set.
simultaneously in the 256 × 512 subarray, which limits In our IMC architecture, monolithic integration
further parallelism, and a relatively complex 4-bit ADC of RRAM and CMOS is crucial, since we need dense
www.computer.org/computingedge 29
EXPERT OPINION
FIGURE 1. Prototype chip design with monolithically integrated RRAM and 90-nm CMOS technology14 (adapted with permis-
sion). This work presents further energy/area optimization.
connections to all wordlines (WLs) and bitlines of decoder has two modes of operation: 1) turning on all
the RRAM array. If RRAM and CMOS are not mono- WL signals simultaneously for binary or low-precision
lithically integrated (e.g., using through-silicon vias or MAC operation; or 2) generating one-hot WL signals
silicon interposers), the bitline and WL delays will be for cell-level programming. As shown in Figure 1(d),
excessive and the integration density will be too low. ADCs and column multiplexers consume a large por-
Furthermore, monolithic integration of RRAM with tion of the core area. In this article, further energy/
CMOS is simpler and less expensive than that with area optimization is investigated including periph-
CNT.10 RRAM process is CMOS fabrication compat- eral circuit minimization by using higher LRS and
ible, with just a few layers of oxide deposition at the input-splitting scheme.
contact via at back-end-of-line (BEOL) compatible Conventional binary RRAMs cannot effectively rep-
temperature. Typically, only one additional mask/ resent the positive and negative weight values (+1 and
lithography is required, allowing RRAM integration to –1) in binarized neural networks (BNNs),12 because the
be low cost. high-resistance state (HRS) and low-resistance state
(LRS) values of binary RRAM devices are both posi-
RRAM PROTOTYPE CHIP DESIGN tive. In addition, as shown in Figure 2, the activation/
We designed a prototype chip for RRAM-based robust weight value combinations of +1/+1 and –1/–1 should
IMC with Winbond's embedded RRAM technology,11 result in the same effective resistance. To that end, we
which monolithically integrates 90-nm CMOS and proposed to use a “XNOR-RRAM” bitcell design13,14 for
RRAM between M1 and M2 [see Figure 1(a)]. Figure 1(b) BNNs. As shown in Figure 2, the XNOR-RRAM bitcell
shows the pad-limited chip micrograph and the core is designed with differential RRAM cells and differ-
area of the chip. As shown in the top-level block dia- ential WLs. The binary activations are implemented
gram in Figure 1(c), the chip design includes a 128 × with the differential WLs, and the binary weights are
64 1T1R array, row decoder, level shifter, eight 8-to-1 implemented with the HRS/LRS values of XNOR-RRAM
column multiplexers, eight 3-bit flash ADCs based bitcells. With all differential WLs asserted simultane-
on seven voltage-mode SAs, and two 64-to-1 column ously, all cells in the same column in parallel compute
decoders for RRAM cell-level programming. The row the binary MAC operations. Since one XNOR-RRAM
cell consists of two 1T1R bitcells, 128 × 64 1T1R array Considering that tightly spaced reference voltages
effectively represents 64 × 64 XNOR-RRAM cells. make flash ADCs more susceptible to variability at low
Both the preliminary simulation results13 and ini- voltages, we show that the proposed input-splitting
tial measurement results14 of the XNOR-RRAM design scheme actually results in much improved accuracy at
only considered the default LRS and HRS values for the lower supplies.
binary RRAM devices, and employed a 3-bit ADC at the Finally, beyond binary RRAM devices, we inves-
periphery for digitizing the analog partial MAC value. In tigate four-level programming with the same RRAM
this article, we investigate three further optimizations devices in our prototype chip, and experimentally
in monolithically integrated RRAM devices and periph- validate the density, energy, and performance gains by
eral circuits, toward enhancing the energy efficiency benchmarking a CNN for CIFAR-10 data set.
and density of the RRAM-based IMC systems.
First, since the default LRS value (~6 k ) consumes HIGHER RESISTANCE FOR
large current and the ON/OFF ratio is relatively high LRS DEVICES
(~150), we explore using higher LRS values (e.g., ~12 In binary RRAM devices, only two states per device
and ~24 k ) to evaluate the tradeoff between current exist, namely LRS (high conductance) and HRS (low
reduction, ON/OFF ratio, and CNN accuracy. conductance). In commercial RRAM technologies that
Second, although a 3-bit ADC is relatively simple, are typically used for storage applications, ON/OFF
it still consumes a large area compared to the RRAM ratio of higher than 100 has been reported. Having a
array itself, resulting in low-array efficiency. We large ON/OFF ratio is certainly good, but on the other
present further algorithm/hardware improvements hand, having high conductance value for the LRS leads
beyond the previous input-splitting techniques,15 and to high current consumption.
employ binary SAs with an unified reference voltage To that end, for a given HRS value fixed, and if we
across all columns, instead of ADCs at the RRAM array have higher LRS values in binary RRAM devices, then
periphery, for digitizing the analog partial MAC values. the current and energy consumption could be largely
www.computer.org/computingedge 31
EXPERT OPINION
FIGURE 3. New input-splitting scheme that allows unified reference voltage for all SAs in the RRAM array periphery.
reduced. On the other hand, compared to the default threshold values. Batch normalization conducts scal-
LRS, targeting LRS to have a higher resistance value ing and shifting operation, and the shifting operation
can result in wider distribution after programming generates threshold values. Therefore, as illustrated
or more susceptible to nonideal effects such as read in Figure 3, we removed batch normalization before
disturb. In addition, and if the LRS and HRS ranges output binarization of small layers. Instead, we experi-
become relatively close, it will adversely affect the mentally found a proper scaling factor for prebinariza-
DNN accuracy for the RRAM-based IMC hardware. tion values of small layers. For the RRAM array with 64
rows, we found that, by scaling prebinarization value
PERIPHERAL CIRCUIT with 1/20, most of scaled values lie in the range of [–1,
MINIMIZATION WITH INPUT- 1]. As there is no shifting operation on prebinarization
SPLITTING SCHEME value of small layers, the columnwise threshold is fixed
Input splitting is a method of the BNN architecture to 0. Then, we added batch normalization after the
design for ADC-free IMC.15 Input splitting recon- merge to compensate for the loss of batch normaliza-
structs a large BNN layer with a network of small lay- tion on small layers.
ers. It splits input of a large layer so that the number of We tested a VGG-like CNN for CIFAR-10 data-
inputs per split group is less than or equal to row count set, which has the network structure of input-
of the given RRAM array. Each split group constructs a 128C3-128C3-MP2-256C3-256C3-MP2-512C3-512C3-
new small layer, and the binary output generated from MP2-1024FC-1024FC-10FC.12 Here, 128C3-128C3 refers
small layers is accumulated and subsequently bina- to the convolution layer with 128 input feature maps, 3
rized with a threshold value of zero. Then, each layer of × 3 kernels, and 128 output feature maps, MP2 refers to
input-split BNN can fit on RRAM array so that the array 2 × 2 max-pooling, and 1024FC refers to the fully con-
can generate binary neuron values as output values. nected layer with 1024 hidden neurons.
However, batch normalization governs that each neu- As we used RRAM arrays with 64 effective rows,
ron has its own threshold value, which necessitates the input counts per input-split BNN layer was set to
each column to have a digital-to-analog converter,4 63 for convolution layers and 64 for fully connected
adding a large overhead. layers. We used 63 for convolution layer because we
In this article, we modified the conventional use 3 × 3 kernel for convolution, and 63 is the clos-
input-splitting method15 to eliminate columnwise est value less than equal to 64. In addition, to make
FIGURE 4. Conductance distribution is shown for four levels of RRAM device programming. Both measurement data from proto-
type chip and fitted Gaussian distribution curves are shown.
the input of convolution layer be divided by 63, we percentage of the RRAM cells that are outside the
changed the number of channels to be an integer mul- target conductance ranges were 0.32%, 1.32%, 0.92%,
tiple of 7. Using Torch, we trained the input-split BNN and 0.44%, respectively.
with the same training condition used in conventional
input splitting.15 For comparison, we trained baseline Inference Accuracy Simulation
BNN (nonsplit BNN), input-split BNN with columnwise The inference accuracy for a CNN is simulated with the
threshold, and input-split BNN without columnwise measured 2-bit RRAM data. However, considering the
threshold. The algorithm simulation results showed limited measurement data (4096 data points for each
that the input-split BNN without columnwise thresh- state) compared to the total number of parameters
old model has compatible accuracy (86.64%) with in a CNN, we first fitted the probability density func-
the baseline BNN (88.46%) and input-split BNN with tion (PDF) of the measured conductance data with a
columnwise threshold (88.24%). linear combination of multiple Gaussians as the fitted
PDF. Then, the conductance values were generated
MULTILEVEL RRAM DEVICES with the fitted PDF for a large CNN. Figure 4 shows the
PDF of the measured conductance and the conduc-
Multilevel Programming Scheme tance values generated with fitted PDF. The distribu-
To achieve 2-bit RRAM, two more conductance states tion tails of the experiment data are captured with the
are inserted between minimum and maximum con- fitted PDF.
ductance levels so that the conductance interval is Using 2-bit weights and 4-bit activations, we
equal between adjacent states. A write–verify pro- benchmarked the same VGG-like CNN for CIFAR-10.
gramming scheme is iterated until less than 2% of It is assumed that each 2-bit weight is stored into one
RRAM cells are outside the target conductance range RRAM cell. We first trained the CNN with the quan-
for each of the four levels. The maximum number of tized training method proposed by Wu et al.,16 and
write–verify iterations to program one RRAM cell is obtained the software baseline accuracy of 91.7%. The
specified as Nmax . For each conductance state, 4096 2-bit weights are then mapped to conductance states,
RRAM cells in the prototype chip are programmed where the conductance values of each RRAM cell are
and measured. It is observed that the conductance generated with the fitted PDFs of the corresponding
distribution becomes more concentrated as Nmax states. The inference accuracy is simulated for three
increases. The Nmax to achieve the target conduc- different array size 64 × 64, 128 × 128, and 256 × 256,
tance range are 15, 30, 15, and 10 for the four conduc- where we employed flash ADCs with 5-bit precision
tance states, respectively. After programming, the using nonlinear quantization.13
www.computer.org/computingedge 33
EXPERT OPINION
FIGURE 5. Measured ADC output results compared with bitcount values from BNN algorithm.
www.computer.org/computingedge 35
EXPERT OPINION
time for CNN Based AI edge processors,” in Proc. IEEE WANGXIN HE is currently working toward the PhD degree at
Int. Solid-State Circuit Conf., 2019, pp. 388–390. the School of Electrical, Computer and Energy Engineering,
10. M.-M. Shulaker, et al., “Three-dimensional integration Arizona State University. He is a student member of IEEE.
of nanotechnologies for computing and data storage Contact him at: wangxinh@asu.edu.
on a single chip,” Nature, vol. 547, pp. 74–78, 2017.
11. C. Ho, et al., “Integrated HfO2-RRAM to achieve highly XU HAN is currently working toward the PhD degree at the
reliable, greener, faster, cost-effective, and scaled School of Electrical, Computer and Energy Engineering,
devices,” in Proc. IEEE Int. Electron Devices Meeting, Arizona State University. She is a student member of IEEE.
2017, pp. 2.6.1–2.6.4. Contact her at: xhan37@asu.edu.
12. I. Hubara, et al., “Binarized neural networks,” in Proc.
Adv. Neural Inf. Process. Syst., 2016. XIAOYU SUN is currently working toward the PhD degree at
13. X. Sun, et al., “XNOR-RRAM: A scalable and parallel the School of Electrical and Computer Engineering, Georgia
resistive synaptic architecture for binary neural Institute of Technology. He is a student member of IEEE. Con-
networks,” in Proc. Design, Autom. Test Eur. Conf. tact him at: xiaoyusun@gatech.edu.
Exhib., 2018, pp. 1423–1428.
14. S. Yin, et al., “High-throughput in-memory comput- HUGH BARNABY is a professor in the School of Electrical,
ing for binary deep neural networks with mono- Computer and Energy Engineering, Arizona State University.
lithically integrated RRAM and 90 nm CMOS,” 2019, His research interests include device physics and modeling,
arXiv:1909.07514. [Online]. Available: https://arxiv.org microelectronic device/sensor design and manufacturing,
/abs/1909.07514 and analog/RF/mixed-signal circuit design. He is a Fellow of
15. Y. Kim, et al., “Input-splitting of large neural networks IEEE. Contact him at: hbarnaby@asu.edu.
for power-efficient accelerator with resistive crossbar
memory array,” in Proc. IEEE Int. Symp. Low Power JAE-JOON KIM is a professor in the Department of Creative
Electron. Design, 2018, Article no. 41. IT Engineering, Pohang University of Science and Technol-
16. S. Wu, et al., “Training and inference with integers in ogy. His research interests include neuromorphic circuit and
deep neural networks,” 2018, arXiv:1802.04680. [Online]. system, low power VLSI design, and flexible device/circuit
Available: https://arxiv.org/abs/1802.04680 design. He is a member of IEEE. Contact him at: jaejoon
17. P. Chen, et al., “NeuroSim: A circuit-level macro model @postech.ac.kr.
for benchmarking neuro-inspired architectures in online
learning,” IEEE Trans. Comput.-Aided Design Integr. SHIMENG YU is an associate professor in the School of
Circuit Syst., vol. 37, no. 12, pp. 3067–3080, Dec. 2018. Electrical and Computer Engineering, Georgia Institute
of Technology. His research interests are nanoelectronic
devices and circuits for energy-efficient computing systems.
SHIHUI YIN is currently working toward the PhD degree at He was a recipient of the NSF CAREER Award in 2016, the IEEE
the School of Electrical, Computer and Energy Engineering, Electron Devices Society (EDS) Early Career Award in 2017,
Arizona State University. He is a student member of IEEE. and the Semiconductor Research Corporation (SRC) Young
Contact him at: Shihui.Yin@asu.edu. Faculty Award in 2019. He is a senior member of IEEE. Contact
him at: shimeng.yu@ece.gatech.edu.
YANDONG LUO is currently working toward the PhD degree
at the School of Electrical and Computer Engineering, Geor- JAE-SUN SEO is an assistant professor in the School of
gia Institute of Technology. He is a student member of IEEE. Electrical, Computer and Energy Engineering, Arizona State
Contact him at: yandongluo@gatech.edu. University. His research interests include energy-efficient
hardware design for machine learning and neuromorphic
YULHWA KIM is currently working toward the PhD degree at computing. He received the IBM Outstanding Technical
the Department of Creative IT Engineering, Pohang Univer- Achieved Award in 2012 and the NSF CAREER Award in 2017.
sity of Science and Technology. She is a student member of He is a senior member of IEEE. Contact him at: jaesun.seo
IEEE. Contact her at: yulhwa.kim@postech.ac.kr. @asu.edu.
www.computer.org/computingedge 37
EDITOR: Ron Vetter, University of North Carolina Wilmington, vetterr@uncw.edu
This installment of Computer’s series highlighting the work published in IEEE Computer
Society journals comes from IEEE Transactions on Parallel and Distributed Systems.
P
arallel and distributed computing systems The solution proposed by the authors thoroughly
have made significant contributions to the optimizes various aspects of the training, including 1)
advancement of machine learning. The recent data compression using run-length encoding, 2) fast
success of machine learning technologies is due not data partitioning using stable sort, 3) approximation
only to new algorithms that improve accuracy but also in finding the split for a node using two-stage histo-
to new algorithms and systems that exploit special- gram building, 4) building histograms that are aware
ized high-performance hardware [for example, graph- of data sparsity, 5) reusing intermediate result during
ics processing units (GPUs) and field-programmable training, and 6) exploiting multiple GPUs to handle
gate arrays] to improve efficiency. This research topic larger data sets. These techniques, taken together,
has been even more important in the era of big data.
Gradient boosting decision trees (GBDTs) have been
widely used in advertising systems, spam filtering,
GRADIENT BOOSTING DECISION
sales prediction, medical data analysis, and image
TREES HAVE BEEN WIDELY USED
labeling. In recent years, they have become very
IN ADVERTISING SYSTEMS, SPAM
popular and won many awards in machine learning
FILTERING, SALES PREDICTION,
and data mining competitions.
MEDICAL DATA ANALYSIS, AND
In “Exploiting GPUs for Efficient Gradient Boost- IMAGE LABELING.
ing Decision Tree Training,”1 Wen et al. present a
series of novel optimization techniques on GPUs
for accelerating GBDT training tenfold over their
CPU counterparts and improving scalability on vastly increase the performance and scalability of
high-dimensional data over their GPU equivalents GBDT training on GPUs and form the critical founda-
(see Figure 1). Accelerating GBDT training on GPUs tions of an open sourced system in GitHub named
is fundamentally challenging due to the large ThunderGBM. Comprehensive experimental results
number of irregular memory accesses required by on popular data sets confirm the effectiveness of
the tree structures and the need for frequent data ThunderGBM over the existing GBDT implementa-
partitioning. tions, including XGBoost, LightGBM, and CatBoost on
both GPUs and CPUs.
38 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
xgboost-cpu catboost-cpu
10 3
lightgbm-cpu thundergbm
10 2
Time Elapsed (s)
2
n/a
n/a
n/a
n/a
0
e
im
s
sy
6
p
yp
in
gg
s2
00
g1
su
-s
vt
hi
lo
e2
al
ne
co
re
accesses and frequent data partitioning make GBDT MANISH PARASHAR is the Distinguished Professor of
training different and more challenging when com- Computer Science at Rutgers, The State University of New
pared to regular training systems. The authors have Jersey. He is the editor in chief of IEEE Transactions on Paral-
addressed these technical challenges with novel and lel and Distributed. Contact him at parashar@rutgers.edu.
efficient solutions as well as integrated the tech-
niques into an easy-to-use system. The promising
speedup achieved through GPU acceleration can pro-
mote further research on accelerating other machine
learning systems with irregular access patterns (such
as sparse networks). On the other hand, the success
of this project also increases the feasibility of more
real-time applications such, as fraud detections in
future digital finances using GBDTs.
REFERENCE
1. Z. Wen , J. Shi, B. He, J. Chen , K. Ramamohanarao, and
Q. Li, “ Exploiting GPUs for efficient gradient boosting
WWW.COMPUTER.ORG/COMPUTINGEDGE
decision tree training ,” IEEE Trans. Parallel Distrib.
Syst., vol. 30, no. 12 , pp. 2706 –2717, 2019.
www.computer.org/computingedge 39
EDITORS: Phil Laplante, plaplante@psu.edu
Ben Amaba, baamaba@us.ibm.com This article originally
appeared in
T
rustworthiness is an elusive quality. We may WHO CAN YOU TRUST?
completely or partially trust relatives, friends, Trust in an entity (either human or a system) is con-
colleagues, or strangers. We also place a great stantly evolving, but there is a base trust established
deal of trust in the operators of airplanes, cars, medi- at first encounter. We all have a certain “trust toler-
cal prognoses, invasive medical devices, and other ance profile” based on individual factors such as
complex systems, potentially risking our lives doing upbringing and life experience. For example, some
so. Similarly, we trust that the designers, builders, people have a very low initial trust tolerance and tend
testers, operators, and maintainers of these com- to distrust people upon the first encounter. Other
plex systems took great care in ensuring safety and people, however, may trust the same person substan-
reliability. But no matter what measures are taken to tially from the outset.
ensure error free operation, we acknowledge a cer- An initial trust level is also established for a
tain level of risk of failure, even catastrophic failure system based on its source, certifications, licenses,
in these systems, because they are built and oper- regulatory guidelines, operating history, and/or on
ated by humans. the user's trust profile. For example, you may not
What about those systems that employ artificial want to be the first person to ride in a newly released
intelligence (AI), such as driverless cars, autopilots, autonomous vehicle but have friends who would
invasive medical devices, and certain types of sys- leap at the chance. Who is right here? To answer, let
tems in the internet of things? Do we expect these us consider the initial encounter with any generic AI
AI enabled systems to operate in such a way that enabled system.
they can be trusted more than those that are oper- During a crisis of faith, while living a monastic life,
ated only by humans? It seems to be headline news mathematician Blaise Pascal used expected value
when an AI capable system fails, particularly when theory to conclude that it was better to believe in a
the blame can be placed directly on the underlying divine being than not. We now call this formulation
“intelligence.” But we should not be surprised when “Pascal's Wager” and a sort of complementary analy-
AI enabled systems fail and we can prove it to you? sis can help us answer the question of whether to
In fact, while we strongly advocate for such systems, trust any AI enabled system upon the first encounter.
we think we should insist on an even higher level Consider the confusion matrix in Figure 1.
of professionalism and rigor when developing and A human can either trust the AI system or not.
deploying AI systems. If the AI system is trustworthy, the consequences
of the interaction are positive. If the human trusts
an untrustworthy AI system, however, then the con-
sequences can be extremely negative (for example,
Digital Object Identifier 10.1109/MITP.2019.2913265 a robotic surgical device making a fatal error). But
Date of current version 17 July 2019. when the human already distrusts the AI system,
40 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
INTERNET OF THINGS
then presumably, precautions would have been taken For both human and AI-enabled system, we are con-
for the consequences of failure, making them less stantly reevaluating our trust in that entity. Should
severe, for example, having some sort of human over- we ever trust any entity completely, even after a
ride mechanism when the system goes awry. Finally, long history of trustworthy interactions? We think
distrusting a trustworthy AI system may have some not. Let us look at a couple of models to justify this
slight cost, for example, extraneous error checking, sentiment.
marginally decreasing the maximum benefit of the
interaction. Roughly speaking, the formulation of Using Oracles
the consequences is represented by the following For every system controlled by AI (or, for some human),
equations: we might think we could invent some kind of oracle to
track the response to each interaction. For each set of
Trust AI :V(consequences) stimuli, the system acts like a filter, producing a set of
= P(AITrustworthy) * V(positiveconsequences) response. Generically, the system acts like an if-then
+ P(AInotTrustworthy) * V(verynegativeconsequences) statement, i.e, the following:
(1)
if (set of stimuli) then (set of responses).
Distrust AI: V (consequences)=P(AITrustworthy) *
V (marginallypositiveconsequences) We then evaluate if the responses are trustwor-
+ P(AInotTrustworthy)* thy, that is, as expected, not expected, or forbidden.
V (marginally negative consequences)(2) These behaviors can, theoretically, at least, be speci-
fied in a tabular form, which helps us predict (and
The function P() represents “the probability of,” trust) the transactions, perhaps allowing us to adjust
and V() represents “value of,” whether in financial or the probabilities in (1) and (2). But by creating this,
costs (e.g., human lives, injury). We can tinker with the the table is just a version of the Gödel incomplete-
probabilities and the costs consequences to make ness problem, and it can be shown, using Cantor's
it seem better to trust the AI, but in safety-critical Diagonal argument, that the table can never be com-
systems, the cost of failure is always going to be pleted. That is, there is always a new, unencountered
extremely high (e.g., death, serious injury, destruction transaction, which should not be trusted in the sense
of costly infrastructure). Thus, if the decision to trust of Pascal's Wager.
is based strictly on minimizing the maximum loss, and
not on some personality-based objective, such as the Interrogating Prisoners
thrill seeking, then it is always better to distrust the AI In the absence of an oracle to determine the trust of
system on the first encounter. an AI system, could a probative mechanism be used?
A common technique for interrogating prisoners of
MONITORING THE ELUSIVE war can be used to continuously test the trustwor-
TRUST FACTOR thiness of humans and AI systems. The interrogator
Over time, our trust in another person or a system asks the prisoner a series of five to ten questions of
evolves through direct experiences and other evi- which the truthful answer is known. If the prisoner
dence such as third-party reports, news, and rumors. truthfully answers the first n questions, then there
www.computer.org/computingedge 41
INTERNET OF THINGS
is a certain degree of confidence in the response to lead to all kinds of moral dilemmas, such as an intel-
next questions (with unknown answers). In fact, as ligent car having to decide between running off the
the number of consecutive truthful answers given road and crashing into a school bus full of children, an
increases, the likelihood of the unknown question autopilot system choosing where to crash to minimize
being false diminishes. causalities, or the classic “trolley problem.” We have
In software testing, Miller et al.1 showed that no way to quantify the subtle considerations that
given T consecutive tests without a failure: have to be made in ethical dilemmas and, hence. do
not know how to build such AI. Furthermore, Asimov's
P (FailontestT+1afterTsuccessfultest) = 1/(n + 2). (3) laws do not inherently account for the possibility that
the system will fail, that is, deliver imperfect data or
By simply restating the problem as a trust test make an imperfect decision.
for the AI system and framing the “questions” as a Finally, any AI system that would choose to destroy
set of stimuli to which we expect a response, we can itself rather than harm another would not pass the
deduce that the probability of betrayal on the (n + Turing test. The philosopher Spinoza said “What if a
1)st interaction (after n trusted interactions) is 1/(n man could save himself from the present danger of
+ 2). So, as n grows large, the likelihood of betrayal death by treachery? … If reason should recommend
tends towards zero (unless we pass to the limit of that, it would recommend it to all men …” Consider
infinity, which is impossible). But we can use (3) to the computer (HAL) in the movie 2001: A Space Odys-
update the probabilities that an interaction has a sey (1968). HAL, an AI system that is “foolproof and
trustworthy answer in (1) and (2). What this all means incapable of error,” malfunctions, and, before it can be
is that we need to continuously and exhaustively taken offline, deliberately kills one of the astronauts to
test AI-based systems in order to maintain a reason- save itself. An AI system that had faithfully executed
able level of trust. But we can never completely trust Asimov's Laws would not attempt this murder, but a
the system. truly “intelligent” system trying to save itself would, as
would a faulty AI system.
TO ERR IS HUMAN
In his 1942 science fiction story “Runaround,” Isaac TO FORGIVE, AI
Asimov proposed three laws that must govern the Even if systems that behave like they should be per-
behavior of robots: ceived as untrustworthy when some party sees the
outcome as unfair, we expect humans to make mis-
R1. A robot may not injure a human being or, takes, to disappoint us by marginal performance, and
through inaction, allow a human being to come even to possibly betray us. But should we expect per-
to harm. fection from AI systems or forgive them when they do
R2. A robot must obey any orders given to it by fail? True AI means that the system must have a cer-
human beings, except where such orders would tain probability of acting in an aberrant (untrusted)
conflict with the First Law. manner. We can either build in the potential for
R3. A robot must protect its own existence as long betrayal or expect it, but in either case, we have to
as such protection does not conflict with the deal with the possibility in the outcome space.
First or Second Law [Asimov]. I am not suggesting that AI-enabled systems are
bad. On the contrary, they can make our lives easier
Asimov later added a 0th law: and better. It is just that we should not trust them
out-of-the-box to be any safer than non-AI-enabled
R0. A robot may not harm humanity, or, by inaction, systems. We must insist that they are developed in
allow humanity to come to harm. a very scrupulous and professional manner by those
who really know what they are doing, and we must
This seems like a reasonable framework for AI deci- insist that they prove their trustworthiness con-
sion that could promote trust. But the framework can tinuously. According to poet Alexander Pope “To err
Cutting Edge
he would have amended this to “To err is human, to
forgive, divine—but don't trust AI.” stay
on the
REFERENCES
1. K. Miller, et al., “Estimating the probability of failure
when testing reveals no failures,” IEEE Trans. Softw.
of Artificial Intelligence
Eng., vol. 18 , no. 1, pp. 33 – 43, Jan. 1992.
J a n ua ry/ f E b r ua ry 2 016
IEEE
2. I. Asimov, “Runaround,” Astounding Sci. Fiction, vol. 29, Also in this issue:
aI’s 10 to Watch
real-Time Taxi Dispatching
56
68
IEEE
January/FEBruary 2016
from flu Trends to Cybersecurity 84
no. 1, 1942. P U T T I N G A I I N T O P R A C T I C E
VOLuME 31
engineering with the Pennsylvania State University, Univer-
nuMBEr 1
www.computer.org/intelligent
IEEE
the Artificial Intelligence and Data Science Elite Team, IBM,
Armonk, NY, USA. Contact him at baamaba@us.ibm.com
Call rticles
for A ing
e C o mput
iv
EE Pervas o n th
e late
st
IE , u s ef
ul p a p e r s
e,
a c ce s s
ible r vasiv
seek s e nt s in pe
v elopm ics
e d de g. Top
eview putin
peer-r ous co
m
u biquit a re
e , an d , s of t w
mobil e c h n ology
t
ware an d
e hard ensing
includ w orld s
l-
re , re a c tion,
f ra s truc tu u t e r intera
s: in mp
e li n e an- co
or gu
id
c tio n , hu m includ
ing
Au t h /mc / inter a
tions,
er.org e ra
privac
y.
mpu t consid
ww w .c o
htm d s y s te m s c u r it y, and
uthor. an se
sive /a bilit y,
p e r v a
ils: m e n t, scala
a y
e r de t deplo
Furth o rg
puter. sive
sive @ co m
g /perva
p e r va ter.or
.c ompu
www
www.computer.org/computingedge 43
EDITOR: Dimitrios Serpanos, ISI/ATHENA and University of Patras, serpanos@computer.org
New IT and computer science solutions are needed to ensure an increased flexibility of
production systems. One key is using intelligent and self-responsible production system
components, the Industry 4.0 components. In this column, relevant requirements,
research and development trends, and issues still to be addressed are presented.
P
roduction systems, in general, are charac- processes that enhance the production skills of the
terized by the three main concepts they resource.
combine: products, production resources, The connection between products and resources
and production processes (Figure 1).1 The purpose is established by the production processes that are
of a production system is to produce products in an required to create the products and are provided by
amount and quality to meet demands of possible cus- the resources. In traditional production systems, the
tomers. The product’s design defines the appearance portfolio of possible products is strongly interlinked
and functioning of the final products by combining with the set of resources that are used. This linking
and processing the defined materials in an estab- is done when the production system is engineered
lished way. The main outcome of the product design, by integrating the production process characteris-
from the production system point of view, is the set of tics required for the intended products within the
required materials (the bill of material definition) and structure of the production components (technical
a partially ordered sequence of production processes bordering conditions) and within the control software
to be executed on them (the bill of operation). (sequence and parameterization of necessary process
Production resources are used to ensure the steps). Thus, only those products that are predicted in
implementation of the processes. The resources are the design stage can be created within such produc-
organized in a hierarchy of production system compo- tion systems.2
nents, whereby each component executes a share of Increasing competition in global markets is leading
the production process provided by the resource. The to new challenges. Customer requirements are chang-
complexity of this share can range from a very simple ing very fast. Technological process is driving changes
task, like opening a valve or rotating a drive, to com- related to applicable production system components.
plex processing, like welding a line. In general, each Lawmakers are increasingly facing social and ecologi-
component provides production functionalities that cal challenges that increase the number of regulations
add value to the product or support the value-adding to be considered. All of these challenges change (in
fact reduce) the time that classically designed produc-
tion systems are economically viable.
Digital Object Identifier 10.1109/MC.2019.2949107 In response, a new type of production system is
Date of current version: 15 January 2020 being considered,3 based on self-reliable production
44 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
Is Scheduled On
Product Resource
Is Producing
www.computer.org/computingedge 45
CYBER-PHYSICAL SYSTEMS
Thing
Reached developments
The different ongoing research and development
FIGURE 2. The architecture of the Industry 4.0 component activities naturally have various goals. These range
with an asset administration shell. from developing general architectures and detailed
designs of architecture components to proving the
applicability of different technologies within the over-
more closely control production system physics than all architecture or their components. Handbuch Indus-
higher-layer controllers, which are specifically respon- trie 4.0 Bd. 2: Automatisierung6 includes a collection
sible for planning decisions. of application cases and descriptions of technol-
Depending on industry, bordering conditions of ogy descriptions. The “Industry 4.0 Platform”7 shows
the production system, intended system structuring, results of standardization efforts. Both sources are
different types of control devices, and control soft- regularly updated as progress is made.
ware are applied. These systems are programmable All research and development activities employ a
logic controllers, numeric controllers, robot control- common general architecture pattern for the Indus-
lers, PC-based controllers, and others with their try 4.0 component depicted in Figure 2.7 This com-
specialized languages but also with programming ponent is an identifiable, communication-enabled,
languages like C, Python, or (seldom) Java. and cooperative combination of one or more
To accommodate greater flexibility, the auto- physical assets accompanied and supervised by
mation pyramid is increasingly giving way to more an administration shell.7 This shell provides a vir-
heterarchical and distributed control architectures tual representation of the covered asset as well as
that combine lower-layer (process control) and access to its technical functionalities. The virtual
higher-layer control (planning) decisions within one representation can be viewed as a semantically and
device related to one production system component, metadata-enriched collection of the possibly inter-
leading to so-called cyberphysical systems (CPSs). linked individual sets of data describing the asset
According to Encyclopedia of Business Informatics, from all perspectives, which might be relevant within
a CPS is a combination of components with physical its lifecycle.
and data processing parts involving communication. The physical asset is not necessarily a simple or
CPSs range from very simple embedded systems, for trivial object. It can contain its own controller, pro-
example, drives or rotary encoders, to very large ones, viding it with all necessary intelligence and control
such as production systems, power plants, energy decisions for the execution of the specified technical
transmission systems, airplanes, and train systems. functions. Thus, two intelligent pieces may be involved
Cyberphysical production systems are intended in the Industry 4.0 component: the management shell
to be used to form the new type of production sys- and the asset internal control.
tems already described. But to do so, they have to ful- This architecture calls for implementation deci-
fill the requirements presented for production system sions addressing six problems. First, the virtual
components. representation has to be set up [(1) in Figure 2]. Here,
the different lifecycle phases of the asset need to be independently of the realization of the virtual repre-
considered with respect to relevant data sets and sentation that may be with OPC UA or AutomationML.
usable implementation technologies. While data for- The current state of the art enables
mats such as AutomationML are considered during resource-related flexibility. Industry 4.0-based pro-
engineering, Open Platform Communications (OPC) duction system components can integrate them-
Unified Architecture (UA) is the top consideration selves in the overall production system. They can
during use. Between the two phases, that is, during expose interfaces that enable their use by other
system setup, specialized XML dialects or Java Script production system entities and plan their actions, if
Object Notation can become relevant. The data struc- requested from outside, based on described skills.
turing in the virtual representation is currently under Thus, a high degree of resource and process flex-
development.7 ibility is reached.
The second problem is the realization of the access
to the virtual representation [(2) in Figure 2]. Here, the
implementation technologies of the virtual represen-
TO ENABLE INCREASED PROCESS
tation define possible access paths. Especially during
FLEXIBILITY THROUGH THE
use, OPC UA gives detailed implementation specifica-
OPTIMIZED USE OF INDUSTRY
tions. During engineering, this is more open. Depend-
4.0 COMPONENTS, THEIR SELF-
ing on the engineering network architecture, different DESCRIPTION NEEDS TO BE
types of information logistics implementations can be IMPROVED.
applied.8
The third problem involves implementation of the
supervision and provision of the technical functions
[(3) in Figure 2]. Currently, the use of service-oriented Open issues
architectures is being explored. This technology There remain several open questions to increase
enables the self-description of services and their product, process, and resource flexibility within pro-
orchestration, following the needs of the accessing duction systems while also fulfilling all of these var-
entity. ious requirements. To enable complete self-control
Consequently, access to the technical functions of production resources including self-planning,
[(4) in Figure 2] is also realized by service access. It self-maintenance, and similar capabilities and, thus,
enables the use of existing IT technologies as well as increase resource flexibility, Industry 4.0 components
smooth integration with existing IT landscapes. cannot be only service oriented and, thereby, reactive;
The integration of the technical function realiza- they need to be proactive. Agent-based implementa-
tion within the asset with its supervision and control tions that extend service orientation provide a prom-
within the administration shell [(5) in Figure 2] is ising solution.9
highly asset dependent. Nevertheless, OPC UA is To enable increased process flexibility through
one of the most commonly considered technologies the optimized use of Industry 4.0 components, their
for this integration. Within the German Mechani- self-description needs to be improved. On one hand,
cal Engineering Industry Association, several the description of technical functions needs to be
industry-driven OPC UA compendium specifications detailed. The current focus on technical border-
are under development for that purpose. ing conditions needs to be enlarged to integrate
The last problem is the integration of the super- reachable production process quality, economic
vision and control of the technical functions with effects, ecological effects, and so on. Therefore,
the virtual representation [(6) in Figure 2]. The main new methods of skill representation and evaluation
purpose of this integration is to enable the provision are required. At the same time, the representation of
of semantically enriched asset state and behavior data within the virtual representation of the Industry
information accompanied by engineering data. 4.0 component needs to be standardized. This stan-
OPC UA is one candidate for the realization as well, dardization will not only define the metastructure
www.computer.org/computingedge 47
CYBER-PHYSICAL SYSTEMS
of the data but also specify how the different related “Engineering processes for decentralized factory
engineering and usage disciplines will be represented automation systems,” in Factory Automation, J.
and integrated. Silvestre-Blanes, Ed., Vienna, Austria: In-Tech, 2010.
Additionally, the product has to be considered [Online]. Available: http://www.intechopen.com
an independent and proactive Industry 4.0 compo- /articles/show/title/engineering-processes-for
nent, driving the production process and increasing -decentralized-factory-automation-systems
product flexibility. Agent technologies, which have 6. B. Vogel-Heuser, T. Bauernhansel, and M. ten Hompel,
been considered for several years as a means for Eds., Handbuch Industrie 4.0 Bd.2: Automatisier-
distributed proactive control, can assist the imple- ung, Berlin, Germany: Springer-Verlag, 2017. doi:
mentation. However, a slightly different component 10.1007/978-3-662-53248-5.
architecture may be required to address the special 7. Federal Ministry for Economic Affairs and Federal
requirements of product flow through in a produc- Ministry of Education and Research. “Industry 4.0
tion system. Platform.” Accessed on: 2019. [Online]. Available: https:
//www.plattform-i40.de/PI40/Navigation/DE/In-der
REFERENCES
1. S. Biffl, A. Lüder, and D. Gerhard, Eds., ARNDT LÜDER is the head of the Institute of Ergonomics,
Multi-Disciplinary Engineering for Cyber-Physical Manufacturing Systems and Automation, Otto-von-Guericke
Production Systems: Data Models and Software Solu- University, Magdeburg, Germany. He is a Member of the IEEE
tions for Handling Complex Engineering Projects. New Industrial Electronics Society and a member of the board of
York: Springer-Verlag, 2017. directors of the AutomationML Association. Contact him at
2. H. ElMaraghy, “Flexible and reconfigurable manufac- arndt.lueder@ovgu.de.
turing systems paradigms,” Int. J. Flexible Manuf. Syst.,
vol. 17, no. 4, pp. 261–276, 2005.
3. H. Kagermann, W. Wahlster, and J. Helbig, Eds., Umset-
zungsempfehlungen für das Zukunftsprojekt Industrie
4.0: Abschlussbericht des Arbeitskreises Industrie 4.0,
Bundesministerium für Bildung und Forschung. Frank-
furt am Main, Germany: Forschungsunion Wirtschaft
und Wissenschaft, 2013.
4. E. Trunzer et al., “System architectures for Industrie
F O LLOW US
4.0 applications: Derivation of a generic architecture @ s e cu rit y p riv a c y
proposal,” Prod. Eng., vol. 13, nos. 3–4, pp. 247–257, June
2019. doi: 10.1007/s11740-019-00902-6.
5. T. Wagner, C. Haußner, J. Elger, U. Löwen, and A. Lüder,
Bert Hubert: When you type a name in the Internet, DNS also denotes where the mail server for a domain is
the computer cannot directly connect. It must look located, as an example. That’s the mail exchanger (MX)
up the Internet Protocol (IP) address of that website— record. If you have a network with many subscribers
IPV4 or IPV6—which DNS provides. A lot happens to and you’re worrying about bad behavior, such as serv-
make DNS work well. Browsers ensure that their que- ers that have been hacked, you can check in DNS how
ries get answers quickly, because speed affects the many MX domain queries the server is doing because
user experience. hacked servers will attempt to spam widely. Then, you
It’s an old protocol that we rely on, and it’s tricky. see tons of MX records.
There is a difference between “this name doesn’t More frequent than MX records are text records
exist” and “the name exists, but it doesn’t have an IPV6 that store arbitrary bits of text in DNS. These are used
address.” The latter says the name does exist, but the by many spam lists to identify IP addresses known to
thing you asked for doesn’t. But often, you get back be spamming or domain names known to be phishing.
the answer, “the name doesn’t exist,” or “we tried to Many mail servers perform DNS text-record lookups to
resolve this name, but we it didn’t work.” This has led figure out if a sending mail server is known to spam.
to websites disappearing from the web because a load With all its faults and its age, DNS is still the one tech-
balancer messed up this nuance. nology that functions as a low-investment worldwide
distributed database; you can ask it many questions
per second and get good answers.
Digital Object Identifier 10.1109/MS.2020.3000883
Date of current version: 20 August 2020 What types of DNS servers are there?
2469-7087/21 © 2021 IEEE Published by the IEEE Computer Society July 2021 49
SOFTWARE ENGINEERING RADIO
What about privacy? sites you are visiting. But it’s not progress if now some
American company knows what sites you are visiting.
DNS traffic tells you everything about a person. If you However, the largest Internet service providers are
have access only to someone’s DNS records, you will now either offering or developing fully encrypted DNS.
be able to tell where they live, what phone they have, So there is not much benefit anymore in sending all
or what brand of TV they have, and so forth. Per bit, encrypted data to a third party that you did not select.
DNS may be the most privacy-sensitive material on
the Internet. It is worthwhile to protect DNS records What one thing should a software engineer remember?
because we don’t want too many people to have
access to those. Monitor DNS. When it breaks, everything will break, so
If someone has a Tesla and I know that they work it is worth adding diagnostics. If you have long-lived
at a certain company and which sports team they applications, the DNS answer that you got at the
like, that narrows down a search for a person. All this start-up of the application that you cached from weeks
information radiates from that person’s Internet con- ago may no longer be the right IP address. DNS is more
nection through a DNS. dynamic than it used to be.
A common current view is that we should encrypt
DNS wherever we can and then send it to a new third
party, which then gets access to all your browsing GAVIN HENRY is the founder and managing
data. I’m not convinced that that is actually progress. director of SureVoIP, an Internet telephony
Previously, we had a highly regulated telecommunica- service. Contact him at ghenry@surevoip
tions company, at least here in Europe, that knew what .co.uk.
www.computer.org/annals
www.computer.org/computingedge 51
EDITORS: Davide Balzarotti, davide.balzarotti@eurecom.fr
William Enck, whenk@ncsu.edu, Samuel King, kingst@ucdavis.edu
Angelos Stavrou, astavrou@gmu.edu This article originally
appeared in
A Cybersecurity Terminarch:
Use It Before We Lose It
Eric Osterweil, George Mason University
W
hy can’t we send encrypted email
(secure, private correspondence that term · in · arch
even our mail providers can’t read)? Why /’ t rm , närk/
do our health-care providers require us to use secure noun
portals to correspond with us instead of directly email- an individual that is the last of its species
ing us? Why are messaging apps the only way to send or subspecies. Once the terminarch dies, the
species becomes extinct.
encrypted messages directly to friends, and why can’t
we send private messages without agreeing to using
a single platform (WhatsApp, Signal, and so on)? Our
cybersecurity tools have not evolved to offer these
services, but why? DNS Security Extensions (DNSSEC). DNSSEC’s pro-
Cybersecurity and cryptographically enhanced tections stem from the DNS tree’s root TA [often called
tools in the Internet have faced an uphill battle for the Root Zone’s Key Signing Key (Root KSK)].
many years, due in no small part to the fact that Since its deployment, the management, mainte-
we do not have a global architecture for deploying nance, and policies surrounding the Root KSK have
interorganizational (platform-agnostic) verifiability, been overseen by an international multistakeholder
authentication, and encryption. This deficiency stems community, the Internet Corporation for Assigned
largely from the absence of a single/unambiguous Names and Numbers (ICANN) community.1 This model
global-root cryptographic key for verification [i.e., a ensures that there is no single entity that has unilat-
public key that is usable as a global Trust Anchor (TA)]. eral jurisdiction over the Root KSK. Today, DNSSEC’s
A global TA could be used to foundationally enhance protocol, policies, and infrastructure are operationally
protections for security tools, protocols, and more, mature and widely distributed. However, these pro-
but attempts to deploy one in the Internet have a long tections lie at the low level of the Internet’s founda-
history of failure. tion and are not often noticed at the application (or
To date, there has only been one success story, other user-facing) layer(s). This has left the potential
and, fortunately, it is still operating. Today, almost to extend DNSSEC’s verification protections largely
everything we do online begins with a query to a untapped. Moreover, the model we are using exposes
single-rooted hierarchical global database, whose systemic vulnerabilities.
namespace is collision-free, and which we have relied Since the late 1990s, the verification and authen-
on for more than 30 years: the Domain Name System tication used by essentially all our security protocols
(DNS). Moreover, although the DNS protocol did not have made do with a collision-prone hierarchical verifi-
initially have verification protections, it does now: the cation model called the Web public-key infrastructure
(Web PKI). Interfaces like secure sockets use the Web
PKI so that applications can benefit from protections
Digital Object Identifier 10.1109/MSEC.2020.2989703 from this model without needing to delve into its com-
Date of current version: 9 July 2020 plexity. Under these covers, the Web PKI’s verification
52 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
substrate uses multiple roots (i.e., multirooted veri- There have been several community attempts
fication). It is a loosely organized list of certification to create single-rooted verification hierarchies for
authorities (CAs) that our software uses to verify Internet services, but single-rooted verification has
essentially all our interorganizational data and trans- proven to be a difficult species to breed. In 1989,
actions (TLS tunnels, HTTPS, secure SMTP, file encryp- there was an attempt to create a single global root for
tion, etc.). The Web PKI provides verification and also Privacy-Enhanced Mail in RFC-1114, but the question
asserts trust, but these are separable protections. of who would operate that root was never answered.
Although the Web PKI has raised the bar on mis- Later the Web PKI began deployment but not as a
creants, it has also left important security doors multirooted hierarchy. In 1995, VeriSign, Inc. had its CA
unguarded. Without a definitive starting point for certificate configured in the then-dominant Netscape
verification, multirooted verification hierarchies suffer Navigator web browser.3
from architectural vulnerabilities. For instance, when At that time, secure web connections verified all
a multirooted verification hierarchy like the Web PKI websites’ cryptographic keys by tracing secure delega-
is used to authenticate HTTPS web transactions, rely- tion paths from that single root. However, the Web PKI
ing party software packages (like web browsers) have did not have protections that mandated a single root,
no way to know which CA is authorized to vouch for a and as browser software continued to diversify and the
website. This is a problem because it can lead to attes- World Wide Web continued to grow, the list of root CAs
tation collisions; whereby browsers have no choice also grew. Today, there are hundreds of root CAs in the
but to trust any certificate that is verified by any CA. Web PKI that are configured in browsers, and they are
One of the earliest high-profile exploits of this often maintained (i.e., rolled over, revoked, or otherwise
attack vector was on a CA named DigiNotar in 2011.2 changed) in nontransparent/nonstandard ways.
That event served as a large-scale existence proof More recently, the Internet Engineering Task Force
of the vulnerability of this model. In multirooted (IETF) has standardized protocols for verifying the
hierarchies, RPs generally don’t even have a way to proper holders of Internet Protocol (IP) addresses and
know who all the roots are supposed to be. Knowing autonomous system numbers using an architecture
all the CA roots in the Web PKI is an open challenge. called the Resource Public-Key Infrastructure (RPKI) in
Browsers attempt to stay current with each other’s RFC-6480. After years of trying to align Internet stake-
trust stores, and there is an organization called the holders, and even after unambiguous advice from the
CA/Browser (CAB Forum) to coordinate this, but other Internet Architecture Board in 2010, the RPKI has not
systems that have tried to use TLS (HTTPS’s under- been able to agree on a single root and now plans to
lying secure connection protocol) have found this operate in perpetuity as a multirooted hierarchy. Just
intractable. Uses in software like mail servers have as with the Web PKI, the RPKI now has attestation
essentially become nonstarters for that reason. collisions. Missed attempts like these underscore the
Single-rooted verification hierarchies (like tradi- singular opportunity that DNSSEC represents. It has
tional PKIs) address the aforementioned problems at even succeeded at an operational scale that other
an architectural level. With a single root, there is no large (private) single-rooted PKIs have failed. As the
ambiguity about which signing authority is allowed to first and only example of a deployed Internet-scale
vouch for whom (the single root clearly disambiguates single-rooted verification hierarchy species, one could
this), and there is only one single (well-known) root for worry that we will not be able to create and operation-
RPs to bootstrap and maintain. alize another.
www.computer.org/computingedge 53
SYSTEMS ATTACKS AND DEFENSES
New standards, like the DNS-based Authenti- those of Namecoin, Ethereum Name Service, or the
cation of Named Entities (DANE) suite (RFC-6698, GNU Name System) could portend extinction, and
RFC-8162, and RFC-7929)4 have emerged that have alternate verification schemes like certificate trans-
the immediate potential to be used to unambiguously parency, which essentially enshrine a global default
secure our protocols and data by using DNSSEC. trusted source (the way the Web PKI started), herald
At a time when recent global events have caused a the same. In its current state, the DNS has been an
dramatic increase in teleworking, distance learning, extensible resource for more than 30 years, and we
and reliance on online communications and when our have only just begun to tap its potential as a cyberse-
Internet privacy has become top-of-mind to many, why curity substrate.
shouldn’t we be able to apply end-to-end encryption
and object-security to our online lives? HOW SECURE IS DNSSEC? YOU
Looking forward, this should also include email, BE THE JUDGE!
medical records, cybersecurity information sharing, The operations of the DNSSEC root zone follow the
and much more. Indeed, now is the right time for us to strictest form of security hygiene. The DNSSEC root
reassess the foundations that we have built our pro- follows a DNSSEC Practice Statement (which is pub-
tections on, and also consider if we may be undermin- lished and available to anyone to inspect at iana.org);
ing our strongest (and largely untapped) foundational its cryptographic keys are maintained in FIPS 140-2
component. Level 4 hardware security modules, the process and
installations have achieved SOC 3 certification for nine
PROBLEMS ON THE HORIZON consecutive years, there are multiple geographically
Recent DNSSEC-based protocols, like DANE, enable distributed disaster recovery sites, and high-value
rich protections and are within our grasp; that is, if we top-level domains (TLDs) (like .com, .net, and so on)
don’t lose them before we use them. Several recent are also following the same level of security practices.
proposals for DNS over HTTPS, DNS over TLS, and Even routine processes like generating zone
even DNS over QUIC aim to add security and privacy signing keys require a quorum of trusted community
protections in ways that would actually create verifi- representatives to be physically present and to verify
cation loops and thereby fundamentally (albeit inad- material, transactions, and adherence to the ICANN
vertently) jeopardize the security, stability, and resil- community processes. The DNSSEC root and TLDs are
iency (SSR) of the DNSSEC. being meticulously protected and managed to ensure
These proposals focus on using transport-layer the SSR of the entire DNS hierarchy with the same
security protections, derived from verification per- level of security as CAs.
formed by the Web PKI, to access DNSSEC. This would Even exceptions are treated with the highest level
be a disastrous weakness because it would fundamen- of prudence. In 2017, the Root KSK was scheduled
tally undercut DNSSEC’s verification substrate. Our to gracefully transition to a newer key (i.e., rollover)
single-rooted verification hierarchy would (effectively) because of proactive operational hygiene. However,
become a subtree under the multirooted Web PKI. before this rollover was executed, measurements indi-
DNSSEC’s protections would be subordinated and cated a potential problem, which prompted operators
thereby have an architectural dependency. Although to postpone this rollover. This prudence serves as just
the proposal to protect the transport of DNS is well one of many examples of the diligence and care that
intended, the approach must not come at the greater exists in the management of DNSSEC’s global root
cost of our architectural correctness. If we aren’t con- key. In short, experts are plugged in and taking every
scientious in our designs, we may never get another precaution necessary to ensure proper operation and
global single root, making DNSSEC a terminarch (i.e., success of this critical resource.
the last of its kind).
Other proposals for alternate (i.e., competing) DEPLOYING DNSSEC
DNS roots (such as the Yeti DNS project) threaten Now that DNSSEC is enjoying broad adoption by
potential disaster, alternate naming schemes (like service providers, there are increasingly easy ways
for administrators to deploy it. For those who oper- possibilities for Internet cybersecurity companies,
ate their own DNS infrastructure, almost all mod- start-ups, and more.
ern DNS name server software platforms can enable
DNSSEC via trivial configurations. For those who use
DNS registrars or other managed DNS (mDNS) pro-
viders to operate their DNS infrastructures, many
T his all stems from DNSSEC’s global single root,
the DNS Root KSK, the multistakeholder policy
community, and the state-of-the art operations that
of these providers offer to deploy and manage DNS- support the cryptographic material. Cybersecurity
SEC through configuration pages in their online por- professionals have the opportunity now to embrace
tals. Often, simply looking at the existing config- this resource and capitalize on it to bring the Inter-
uration options of either one’s own infrastructure net’s cybersecurity to a new high watermark, but
or the pages of one’s provider can be the one-stop we as a community need to continue to carefully
shopping for turning DNSSEC on. The DNSSEC com- protect the Internet’s first (and possibly last) global
munities want to help, and resources like the Inter- single-root verification terminarch: DNSSEC.
net Society’s Deploy 3605 pages offer resources for
guidance to answer questions and to otherwise help REFERENCES
with deploying DNSSEC. 1. “ICANN’s multistakeholder model,” ICANN. [Online].
Available: https://www.icann.org/community
USE IT BEFORE WE LOSE IT 2. D. Fisher, “Final report on DigiNotar hack shows total
Although using the DNS to resolve a domain name compromise of CA servers,” Threatpost, Oct. 31, 2012.
to an IP address is a critical starting point for almost [Online]. Available: https://threatpost.com/final
all our transactions on the Internet, the DNS was -report-diginotar-hack-shows-total-compromise-ca
designed to be used to look up essentially arbitrary -servers-103112/77170/
data. Based on this, DNSSEC has evolved the DNS 3. N. Wingfield, “Digital IDs to help secure Internet,”
into a global PKI. DNSSEC is in a position to implement InfoWorld, Oct. 23, 1995. [Online]. Available: https:
general-purpose object security. This could be used to //tinyurl.com/yaf6cwun
secure threat intelligence, cybersecurity information 4. “How DANE strengthens security for TLS, S/MIME, and other
sharing, the Internet of Things, email, electronic pro- applications,” Verisign, Nov. 19, 2015. [Online]. Available:
tected health information (e-PHI), and much more. https://blog.verisign.com/security/how-dane-strengthens
By using DNSSEC as the Internet’s global single -security-for-tls-smime-and-other-applications/
root, we will get interoperability across all those Inter- 5. Internet Society. Accessed on: May, 9, 2020. [Online].
net systems that already speak DNS. With DNSSEC, Available: https://www.internetsociety.org/deploy360
we can secure caches against poisoning attacks and /dnssec/
reduce transitive trust attack surfaces.6 The DNSSEC 6. E. Osterweil, D. McPherson, and L. Zhang, “The shape
deployment is now counted in the millions of domains and size of threats: Defining a networked system’s
and has been growing and succeeding at exponential attack surface,” in Proc. 2014 IEEE 22nd Int. Conf.
rates, and operators are becoming increasingly adept Network Protocols (ICNP), pp. 636–641. doi: 10.1109
at managing their cryptographic deployments.7 It is /ICNP.2014.101. [Online]. Available: https://ieeexplore
ready to be built on. .ieee.org/abstract/document/6980440
Protocols like DANE propose to do exactly that, 7. “Growth and health metrics for the global deployment,”
thereby repairing architectural holes that have 2020. [Online]. Available: http://secspider.net/
hamstrung HTTPS. This will allow us to enable fallow
object-security models, like using S/MIME for secure
end-to-end email encryption and signing.4 This would ERIC OSTERWEIL is the vice-chair of the ICANN Second
not only plug existing security holes, it would also Security, Stability, and Resiliency Review Team (SSR2 RT).
give us never-before-seen cybersecurity facilities. Osterweil received a Ph.D. from the Computer Science
Even DANE’s nascent deployment already numbers Department, George Mason University, Fairfax, Virginia.
in the hundreds of thousands. It has opened new Contact him at eoster@gmu.edu.
www.computer.org/computingedge 55
IEEE Internet Computing delivers novel content
from academic and industry experts on the
latest developments and key trends in Internet
technologies and applications.
www.computer.org/internet
Volume 22
www.computer.org/internet
Number 4
for subscription discounts today!
Volume 22
www.computer.org/internet
Number 3
www.computer.org/internet
www.computer.org/product/magazines/internet-computing
Get Published in the IEEE Open
Journal of the Computer Society
I EEE Computer Society conferences are valuable forums for learning on broad and dynamically shifting top-
ics from within the computing profession. With over 200 conferences featuring leading experts and thought
leaders, we have an event that is right for you. Questions? Contact conferences@computer.org.
58 July 2021 Published by the IEEE Computer Society 2469-7087/21 © 2021 IEEE
OCTOBER Workshop), Washington, D.C., on Workload Characteriza-
1 October USA tion), virtual
• ISPA (IEEE Int’l Symposium on 13 October 15 November
Parallel and Distributed Pro- • FIE (IEEE Frontiers in Educa- • ASE (IEEE/ACM Int’l Conf. on
cessing with Applications), tion Conf.), Lincoln, Nebraska, Automated Sof tware Eng.),
New York, USA USA Melbourne, Australia
4 October • WF-5G (IEEE 5G World Forum), • BigMM (IEEE Int’l Conf. on Mul-
• IC2E (IEEE Int’l Conf. on Cloud Montreal, Canada timedia Big Data), Taichung,
Eng.), San Francisco, USA 16 October Taiwan
• ISMAR (IEEE Int’l Symposium • MICRO (IEEE/ACM Int’l Sym-
on Mixed and Augmented posium on Microarchitecture), DECEMBER
Reality), Bari, Italy Athens, Greece 20 December
• LCN (IEEE Conf. on Local Com- 17 October • MCSoC (IEEE Int’l Sympo -
puter Networks), Edmonton, • ICVRV (IEEE Int’l Conf. on Vir- sium on Embedded Multicore/
Canada tual Reality and Visualization), Many-Core Systems-on-Chip),
• MASS (IEEE Int’ l Conf. on Nanchang, China Singapore
Mobile Ad Hoc and Smart Sys- 18 October
tems), Denver, USA • SecDev (IEEE Secure Develop-
6 October ment Conf.), Atlanta, USA
• DFT (IEEE Int’l Symposium on 21 October
Defect and Fault Tolerance in • IEEE Cloud Summit, Hemp-
VLSI and Nanotechnology Sys- stead, New York, USA
tems), virtual 24 October
10 October • VIS (IEEE Visualization Conf.),
• M O DEL S (AC M/IEEE In t ’ l New Orleans, USA
Conf. on Model Driven Eng. 25 October
Languages and S ystems), • EDOC (IEEE Int’l Enterprise
Fukuoka, Japan Distributed Object Computing
11 October Conf.), Gold Coast, Australia
• ESEM (ACM/IEEE Int’l Sympo-
Learn more
sium on Empirical Software NOVEMBER
Eng. and Measurement), Bari, 2 November about IEEE
Italy • ICNP (IEEE Int’l Conf. on Net- Computer
• ICCV (IEEE/CVF Int’l Conf. on
Computer Vision), Montreal,
work Protocols), Dallas, USA
6 November
Society
Canada • SmartCloud (IEEE Int’l Conf. on conferences
12 October Smart Cloud), Newark, USA
computer.org/conferences
• AIPR (IEEE Applied Imag- 7 November
e r y Pa t t e r n R e c o g n i t i o n • IISWC (IEEE Int’l Symposium
IEEE COMPUTER SOCIETY ELECTION
Volunteer Leadership
Is Vital
Vote by Monday, 20 September at 12PM EDT
www.computer.org/election2021