Why Do We Need a Standardized Framework to Enumerate Hardware Security Weaknesses?
July 29, 2020

Jason M. Fung
Intel Corporation

Recent studies suggest that 90% of the world's digital data were generated over the last two years alone. As the global community continues to create more and more data, securing them from the reach of unauthorized users continues to be a major challenge. Hardware-based security is widely recognized as a best practice for protecting the confidentiality, integrity and availability of data such as financial transactions, medical records and personal information.

At the same time, today's vulnerability research and attack methods are also becoming more sophisticated, often penetrating past the software layers and compromising the underlying hardware. When not implemented or verified properly, hardware-based security can have its own set of challenges. It is evident that the industry needs a comprehensive understanding of the common hardware security weaknesses and the corresponding secure-by-design best practices, so as to help protect sensitive data that users generate and consume each day.

A key resource for tracking software vulnerabilities today exists in MITRE's Common Weakness Enumeration (CWE) system, which is complemented by the Common Vulnerabilities and Exposures (CVE) system. A simple way to differentiate the two is that CWE includes a taxonomy of common security weakness types and provides different views for a user to traverse different categorical buckets. Whereas the CVE maintains a collection of specific vulnerability instances that have already been found and reported publicly. CWE groups similar CVEs together to facilitate research and analysis.

Essentially, the two systems work hand-in-hand to provide the ultimate vulnerability reference guide. These resources aim to educate architects and developers to identify potential mistakes when designing and developing software products. At the same time, they enable security researchers and tool vendors to pinpoint current gaps, so better tools and methodologies can be offered to automate the detection of common software security issues. But what about hardware vulnerabilities?

Until recently, we have not had any kind of industry-scale, standardized catalogue that captures known hardware security weaknesses in one place. If we expect hardware vendors and their partners to collectively deliver robust security solutions, we need an up-to-date primer where hardware designers can stay current with time-tested best practices and avoid common security pitfalls. Without a common language, it becomes challenging for researchers and practitioners to contribute learnings, exchange information, and share techniques with one another.

As with any broad technological hurdle, it will take the industry working together to drive technological advancements that leapfrog hardware security assurance. Industry leaders have been collaborating with leading standards bodies to develop innovative capabilities and trusted foundations that can be leveraged by the industry. These efforts are gaining momentum.

In fact, a recent example is industry collaboration with MITRE on its brand new Hardware Design View that complements the existing software-oriented security weakness taxonomy with a hardware-oriented counterpart. With the most recent CWE 4.1 release, users are now exposed to almost 60 hardware weaknesses that are commonly overlooked by hardware designers, along with useful information that helps to identify and mitigate these weaknesses.

These are great first steps, but the journey is far from over. "It takes a village to raise a child." Likewise, it takes a community to develop an industry-scale resource. The research community and ecosystem partners across the industry, academia and government must join hands to contribute and build out this new resource. Keeping it comprehensive and up to date will be key to enabling this cumulative, standardized Hardware CWE to offer its many great benefits.

Product Architects and Hardware Designers will gain a deeper understanding of the common security pitfalls, allowing them to avoid making similar mistakes when creating solutions. Verification Engineers will be more fluent in common security mistakes and how they can be effectively detected at various stages of the product development lifecycle. This will enable them to devise proper verification plan and test strategies for improving the security robustness of products.

Additionally, Security Architects will focus their energy more efficiently on systemic issues and work to identify effective mitigations that help eliminate risks or make exploitation much more difficult for attackers.

An established, growing Hardware CWE will also allow Electronic Design Automation (EDA) Vendors to prioritize and expand their tool features and offerings, which will better enable hardware designers to avoid the introduction of common vulnerabilities. In addition, the comprehensive primer will provide data and insights for constructing proper benchmarks that enable Enterprises to objectively compare the capabilities of different EDA tool options, allowing them to identify the right ones that meet their specific needs.

Furthermore, Educators will draw learnings from the latest collection of common hardware weaknesses to develop training materials and secure-by-design best practices that focus on the most relevant areas of concern, so university curriculum and corporate trainings can help audiences gain the critical skills they need.

And finally, a more established public database of hardware issues will help Security Researchers to leverage a common taxonomy to communicate without ambiguities, facilitating learning exchange, systematic study and collaboration, while making the field more accessible for aspiring researchers.

Today, categorizing hardware vulnerabilities, understanding their root causes, and deriving mitigation strategies can feel like an endless battle. Creating a common taxonomy for discussing, documenting and sharing hardware security weaknesses has become paramount. As hardware vulnerabilities continue to get more complex and challenging to address, we must continue to invest in the research, tooling and resources needed to properly catalog and evaluate hardware vulnerabilities with the same urgency and scope we do for software threats.

MITRE's new Hardware CWE is a fantastic initial step upon which security researchers and the broader industry can build to enable practitioners to speak in the same language as they strive to deliver hardware solutions that are safe and secure for people to entrust with their data.

Jason M. Fung is Offensive Security Research Manager at Intel Corporation
Share this

Industry News

July 29, 2021

Couchbase announced the general availability of Couchbase Server 7.

July 29, 2021

Cycloid has unveiled Infra Import, a tool that automatically reverse engineers Terraform Infra-as-Code (IaC) from manually deployed infrastructure.

July 29, 2021

Launchable closed a $9.5 million Series A investment.

July 29, 2021

Rafay Systems announced automation and monitoring enhancements to its flagship Kubernetes Management Cloud (KMC).

July 28, 2021

Progress announced the R2 2021 release of Progress Telerik Test Studio, the enterprise UI test automation platform.

July 28, 2021

Synopsys announced the availability of new Rapid Scan capabilities within the company's Coverity static application security testing (SAST) and Black Duck software composition analysis (SCA) solutions.

July 28, 2021

Bitdefender announced GravityZone Security for Containers, expanding its cloud workload security (CWS) offering with run-time support for containers and Linux kernel independence.

July 28, 2021

Armory announced Armory Enterprise on AWS Quick Starts, automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners.

July 27, 2021

Katalon introduced Katalon TestOps, an open and comprehensive test orchestration platform designed to help enterprises scale test automation and streamline DevOps pipelines.

July 27, 2021

Digital.ai achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status for an Enterprise Agile Planning (EAP) tool.

July 27, 2021

Aqua Security rolls out the availability of its new Aqua Platform, with a unified console to ease the journey from scanning and visibility to workload protection in cloud native environments.

July 26, 2021

Parallel Agile announced a new version of CodeBot, a low-code MERN stack application generator.

July 26, 2021

Appian unveiled its new Appian Japan regional office.

July 26, 2021

CloudTruth raised $5.25 million in seed funding led by Glasswing Ventures and Gutbrain Ventures, with additional funding from Stage 1 Ventures and York IE.

July 22, 2021

Postman successfully obtained the System and Organization Controls (SOC) 2 Type 2 and SOC 3 Type 2 reports for the Postman API platform, meeting critical industry standards relative to the Trust Services Criteria for security, availability, and confidentiality.