Computer systems have never been more advanced and complex than they are today. Likewise, the level of sophistication and prevalence we are seeing in modern cyberattacks is growing at an astonishing rate. Hackers are changing their focus as well. While the industry has worked diligently to harden the software layer over the years, hackers have begun shifting their focus to the hardware layer.
In fact, industry and academic research have demonstrated advanced methods, that are constantly being improved, to infiltrate systems through hardware — sometimes through hybrid hardware-software vulnerabilities. Hackers are operating at a major advantage by leveraging various learnings and techniques available in the public domain.
On the other hand, the odds do not seem to favor the hardware designers. The industry has lacked the same level of common taxonomy and shared classification for hardware weaknesses that have been well established for software over the past two decades. As a result, hardware designers are handicapped by the availability of shared knowledge and resources while they attempt to improve the resilience of their products against relevant attacks.
Common Weakness Scoring System (CWSS) (Source: Mitre)
For years, Mitre’s community-developed Common Weakness Enumeration (CWE) system, and Common Vulnerabilities and Exposures (CVE) system have served as leading resources for tracking software weaknesses by category and known vulnerability instances. Software architects and developers use these tools to help ensure that they avoid building security issues into their software products, while researchers and vendors seek to detect and append newfound vulnerabilities to build an ever-growing collective reference for rooting out software security issues.
As hackers continue to double down on hardware, the industry must develop the same type of expansive resources for cataloging and tracking hardware design weaknesses to help practitioners address important security questions, including:
- Where are the relevant hardware entry points in my design?
- What is the common set of weaknesses that designers need to pay close attention to?
- Which physical device properties are most affected when temperature, voltage, or current go out of the operating range? How would they be abused by hackers to undermine the security robustness of my design?
- What are the consequences of a successful attack to the hardware device, the software stack running on top, as well as the overall integrated system?
- What are some of the recent examples of the issue?
- How can a vulnerability be detected early on in the product development life cycle by validation teams to minimize the remediation cost?
- What are the range of mitigation options available? What are the trade-offs between their cost versus their effectiveness?
The industry needs standardized, open access to this level of insight into common hardware security issues. We need a common language that can be used by researchers and vendors to share key learnings and best practices with one another effectively.
The good news is that we are now one step closer to the holy grail. Since last summer, Intel and Mitre have partnered up and worked tirelessly to introduce the much-anticipated framework. In February 2020, Mitre announced the release of the CWE version 4.0 that expanded the existing software-oriented offering to include the hardware counterpart. According to Mitre’s initial announcement, this update is intended to “assist hardware designers to better understand potential mistakes that can be made in specific areas of their IP design, as well as assist educators [to] teach future professionals about the types of mistakes that are commonly made in hardware design.”
The new CWE Hardware Design View already includes 30 hardware issues that are often overlooked by hardware designers. These issues are grouped under high-level categories such as Manufacturing and Life Cycle Management Concerns, Security Flow Issues, Privilege Separation and Access Control Issues, General Circuit and Logic Design Concerns, Core and Compute Issues, Memory and Storage Issues, Security Primitives and Cryptography Issues, and many more.
This recent development is a major step in the right direction, but there is still much work to be done. The collection is expected to evolve over time as community contributions introduce more entries and examples. The research community, as well as parties across the broader industry, academia, and government must come together to participate and contribute to continue building out this standardized, cumulative hardware CWE. And there is plenty of motivation to do so, with so many far-reaching benefits that could come from these efforts.
A robust hardware CWE will allow architects to learn and deploy effective mitigations in their products to prevent attacks launched by hackers from various entry points. Designers will stay current on the secure-by-design best practices and avoid common hardware security pitfalls when creating new products. Verification engineers will be much more familiar with the different types of hardware weaknesses and thus be more effective in eliminating vulnerabilities throughout the development process. Security researchers will be better equipped to pinpoint and resolve systemic hardware security issues and develop fixes that remove risk and stymie attackers. Researchers who are aspiring to break into the field can benefit from the resources and the common taxonomy to learn, collaborate, and exchange learnings with one another. The hardware industry can certainly benefit from a more diverse community, joined by bright minds from other research domains to help drive the current state-of-the-art to the next frontier. These are just a few of the many benefits we will see as the industry builds an open, cumulative hardware CWE framework.
For far too long, many have felt that identifying and categorizing hardware weaknesses, root causes, and mitigation strategies was an endless uphill battle. As hardware continues to be a major target for hackers moving forward, we must invest in the research, tooling, and resources needed to properly catalog and evaluate hardware weaknesses with the same urgency and scope we have for software threats. The new CWE 4.0 is a fantastic initial step upon which the industry can rally behind and build upon — enabling practitioners to speak the same language as they continue to improve the security robustness of hardware products that people around the world rely upon every day.
>> This article was originally published on our sister site, EE Times.
|Jason M. Fung is offensive security research manager for Intel.|