Why Do We Need a Standardized Framework to Enumerate Hardware Security Weaknesses?
July 29, 2020

Jason M. Fung
Intel Corporation

Recent studies suggest that 90% of the world's digital data were generated over the last two years alone. As the global community continues to create more and more data, securing them from the reach of unauthorized users continues to be a major challenge. Hardware-based security is widely recognized as a best practice for protecting the confidentiality, integrity and availability of data such as financial transactions, medical records and personal information.

At the same time, today's vulnerability research and attack methods are also becoming more sophisticated, often penetrating past the software layers and compromising the underlying hardware. When not implemented or verified properly, hardware-based security can have its own set of challenges. It is evident that the industry needs a comprehensive understanding of the common hardware security weaknesses and the corresponding secure-by-design best practices, so as to help protect sensitive data that users generate and consume each day.

A key resource for tracking software vulnerabilities today exists in MITRE's Common Weakness Enumeration (CWE) system, which is complemented by the Common Vulnerabilities and Exposures (CVE) system. A simple way to differentiate the two is that CWE includes a taxonomy of common security weakness types and provides different views for a user to traverse different categorical buckets. Whereas the CVE maintains a collection of specific vulnerability instances that have already been found and reported publicly. CWE groups similar CVEs together to facilitate research and analysis.

Essentially, the two systems work hand-in-hand to provide the ultimate vulnerability reference guide. These resources aim to educate architects and developers to identify potential mistakes when designing and developing software products. At the same time, they enable security researchers and tool vendors to pinpoint current gaps, so better tools and methodologies can be offered to automate the detection of common software security issues. But what about hardware vulnerabilities?

Until recently, we have not had any kind of industry-scale, standardized catalogue that captures known hardware security weaknesses in one place. If we expect hardware vendors and their partners to collectively deliver robust security solutions, we need an up-to-date primer where hardware designers can stay current with time-tested best practices and avoid common security pitfalls. Without a common language, it becomes challenging for researchers and practitioners to contribute learnings, exchange information, and share techniques with one another.

As with any broad technological hurdle, it will take the industry working together to drive technological advancements that leapfrog hardware security assurance. Industry leaders have been collaborating with leading standards bodies to develop innovative capabilities and trusted foundations that can be leveraged by the industry. These efforts are gaining momentum.

In fact, a recent example is industry collaboration with MITRE on its brand new Hardware Design View that complements the existing software-oriented security weakness taxonomy with a hardware-oriented counterpart. With the most recent CWE 4.1 release, users are now exposed to almost 60 hardware weaknesses that are commonly overlooked by hardware designers, along with useful information that helps to identify and mitigate these weaknesses.

These are great first steps, but the journey is far from over. "It takes a village to raise a child." Likewise, it takes a community to develop an industry-scale resource. The research community and ecosystem partners across the industry, academia and government must join hands to contribute and build out this new resource. Keeping it comprehensive and up to date will be key to enabling this cumulative, standardized Hardware CWE to offer its many great benefits.

Product Architects and Hardware Designers will gain a deeper understanding of the common security pitfalls, allowing them to avoid making similar mistakes when creating solutions. Verification Engineers will be more fluent in common security mistakes and how they can be effectively detected at various stages of the product development lifecycle. This will enable them to devise proper verification plan and test strategies for improving the security robustness of products.

Additionally, Security Architects will focus their energy more efficiently on systemic issues and work to identify effective mitigations that help eliminate risks or make exploitation much more difficult for attackers.

An established, growing Hardware CWE will also allow Electronic Design Automation (EDA) Vendors to prioritize and expand their tool features and offerings, which will better enable hardware designers to avoid the introduction of common vulnerabilities. In addition, the comprehensive primer will provide data and insights for constructing proper benchmarks that enable Enterprises to objectively compare the capabilities of different EDA tool options, allowing them to identify the right ones that meet their specific needs.

Furthermore, Educators will draw learnings from the latest collection of common hardware weaknesses to develop training materials and secure-by-design best practices that focus on the most relevant areas of concern, so university curriculum and corporate trainings can help audiences gain the critical skills they need.

And finally, a more established public database of hardware issues will help Security Researchers to leverage a common taxonomy to communicate without ambiguities, facilitating learning exchange, systematic study and collaboration, while making the field more accessible for aspiring researchers.

Today, categorizing hardware vulnerabilities, understanding their root causes, and deriving mitigation strategies can feel like an endless battle. Creating a common taxonomy for discussing, documenting and sharing hardware security weaknesses has become paramount. As hardware vulnerabilities continue to get more complex and challenging to address, we must continue to invest in the research, tooling and resources needed to properly catalog and evaluate hardware vulnerabilities with the same urgency and scope we do for software threats.

MITRE's new Hardware CWE is a fantastic initial step upon which security researchers and the broader industry can build to enable practitioners to speak in the same language as they strive to deliver hardware solutions that are safe and secure for people to entrust with their data.

Jason M. Fung is Offensive Security Research Manager at Intel Corporation
Share this

Industry News

June 29, 2022

Progress announced the latest release of Progress Flowmon.

June 29, 2022

CodeSee announced the launch of Open Source Hub (OSH).

June 29, 2022

Ambassador Labs announced the newest release of Ambassador Edge Stack, an integrated edge solution that empowers developer teams to quickly configure the edge services required to build, deliver, and scale applications for Kubernetes.

June 29, 2022

Ondat released into general availability version 2.8 of its Ondat platform for stateful workloads in Kubernetes.

June 28, 2022

Hewlett Packard Enterprise (HPE) unveiled platform enhancements and new cloud services for HPE GreenLake, the company’s flagship offering that enables organizations to modernize all their applications and data.

June 28, 2022

Sysdig announced Drift Control to prevent container attacks at runtime. Teams can detect, prevent, and speed incident response for containers that were modified in production, also known as container drift.

June 28, 2022

ShiftLeft announced an investment from and go-to-market partnership with Wipro Ventures.

June 27, 2022

Delinea announced the latest release of DevOps Secrets Vault.

June 27, 2022

Jit announced a $38.5 million seed funding round and launched a free beta version which automates product security.

June 27, 2022

Platform.sh raised $140 million in Series D funding.

June 23, 2022

Akana by Perforce now offers BlazeMeter to customers, previously a solution with Broadcom Layer7.

June 23, 2022

Coder announced the release of a new open source project that gives developers and data scientists a consistent, secure, yet flexible way to create cloud workspaces in minutes.

June 23, 2022

GitGuardian is announcing a series of new features to address developer experience in securing the software development lifecycle.

June 22, 2022

OctoML released a major platform expansion to accelerate the development of AI-powered applications by eliminating bottlenecks in machine learning deployment.

June 22, 2022

Snow Software announced new functionality and integrations for Snow Atlas, a purpose-built platform that provides a framework to accelerate data-driven technology decision-making.