Why Do We Need a Standardized Framework to Enumerate Hardware Security Weaknesses?
July 29, 2020

Jason M. Fung
Intel Corporation

Recent studies suggest that 90% of the world's digital data were generated over the last two years alone. As the global community continues to create more and more data, securing them from the reach of unauthorized users continues to be a major challenge. Hardware-based security is widely recognized as a best practice for protecting the confidentiality, integrity and availability of data such as financial transactions, medical records and personal information.

At the same time, today's vulnerability research and attack methods are also becoming more sophisticated, often penetrating past the software layers and compromising the underlying hardware. When not implemented or verified properly, hardware-based security can have its own set of challenges. It is evident that the industry needs a comprehensive understanding of the common hardware security weaknesses and the corresponding secure-by-design best practices, so as to help protect sensitive data that users generate and consume each day.

A key resource for tracking software vulnerabilities today exists in MITRE's Common Weakness Enumeration (CWE) system, which is complemented by the Common Vulnerabilities and Exposures (CVE) system. A simple way to differentiate the two is that CWE includes a taxonomy of common security weakness types and provides different views for a user to traverse different categorical buckets. Whereas the CVE maintains a collection of specific vulnerability instances that have already been found and reported publicly. CWE groups similar CVEs together to facilitate research and analysis.

Essentially, the two systems work hand-in-hand to provide the ultimate vulnerability reference guide. These resources aim to educate architects and developers to identify potential mistakes when designing and developing software products. At the same time, they enable security researchers and tool vendors to pinpoint current gaps, so better tools and methodologies can be offered to automate the detection of common software security issues. But what about hardware vulnerabilities?

Until recently, we have not had any kind of industry-scale, standardized catalogue that captures known hardware security weaknesses in one place. If we expect hardware vendors and their partners to collectively deliver robust security solutions, we need an up-to-date primer where hardware designers can stay current with time-tested best practices and avoid common security pitfalls. Without a common language, it becomes challenging for researchers and practitioners to contribute learnings, exchange information, and share techniques with one another.

As with any broad technological hurdle, it will take the industry working together to drive technological advancements that leapfrog hardware security assurance. Industry leaders have been collaborating with leading standards bodies to develop innovative capabilities and trusted foundations that can be leveraged by the industry. These efforts are gaining momentum.

In fact, a recent example is industry collaboration with MITRE on its brand new Hardware Design View that complements the existing software-oriented security weakness taxonomy with a hardware-oriented counterpart. With the most recent CWE 4.1 release, users are now exposed to almost 60 hardware weaknesses that are commonly overlooked by hardware designers, along with useful information that helps to identify and mitigate these weaknesses.

These are great first steps, but the journey is far from over. "It takes a village to raise a child." Likewise, it takes a community to develop an industry-scale resource. The research community and ecosystem partners across the industry, academia and government must join hands to contribute and build out this new resource. Keeping it comprehensive and up to date will be key to enabling this cumulative, standardized Hardware CWE to offer its many great benefits.

Product Architects and Hardware Designers will gain a deeper understanding of the common security pitfalls, allowing them to avoid making similar mistakes when creating solutions. Verification Engineers will be more fluent in common security mistakes and how they can be effectively detected at various stages of the product development lifecycle. This will enable them to devise proper verification plan and test strategies for improving the security robustness of products.

Additionally, Security Architects will focus their energy more efficiently on systemic issues and work to identify effective mitigations that help eliminate risks or make exploitation much more difficult for attackers.

An established, growing Hardware CWE will also allow Electronic Design Automation (EDA) Vendors to prioritize and expand their tool features and offerings, which will better enable hardware designers to avoid the introduction of common vulnerabilities. In addition, the comprehensive primer will provide data and insights for constructing proper benchmarks that enable Enterprises to objectively compare the capabilities of different EDA tool options, allowing them to identify the right ones that meet their specific needs.

Furthermore, Educators will draw learnings from the latest collection of common hardware weaknesses to develop training materials and secure-by-design best practices that focus on the most relevant areas of concern, so university curriculum and corporate trainings can help audiences gain the critical skills they need.

And finally, a more established public database of hardware issues will help Security Researchers to leverage a common taxonomy to communicate without ambiguities, facilitating learning exchange, systematic study and collaboration, while making the field more accessible for aspiring researchers.

Today, categorizing hardware vulnerabilities, understanding their root causes, and deriving mitigation strategies can feel like an endless battle. Creating a common taxonomy for discussing, documenting and sharing hardware security weaknesses has become paramount. As hardware vulnerabilities continue to get more complex and challenging to address, we must continue to invest in the research, tooling and resources needed to properly catalog and evaluate hardware vulnerabilities with the same urgency and scope we do for software threats.

MITRE's new Hardware CWE is a fantastic initial step upon which security researchers and the broader industry can build to enable practitioners to speak in the same language as they strive to deliver hardware solutions that are safe and secure for people to entrust with their data.

Jason M. Fung is Offensive Security Research Manager at Intel Corporation
Share this

Industry News

October 20, 2021

SonarSource added over 5,000 customers in the last 12 months, reaching the 15,000 commercial customers milestone in record time.

October 20, 2021

Actian announced the general availability of its newly released DataConnect 12 integration platform, demonstrating a continued focus on ease of use for complex data integration and data quality.

October 20, 2021

Salt Security announced new capabilities in its next-generation Salt Security API Protection Platform to secure GraphQL APIs.

October 20, 2021

vFunction announces the availability of the vFunction Application Transformation Engine and the expanded vFunction Modernization Platform, with new, advanced capabilities that enable enterprises to automatically assess, analyze, and manage the full modernization and migration process from start to finish.

October 20, 2021

Mage raised a $6.3 million seed round led by Gradient Ventures.

October 19, 2021

Couchbase announced its Couchbase Capella hosted Database-as-a-Service (DBaaS) offering on Amazon Web Services (AWS).

October 19, 2021

Checkmarx announced the launch of the Checkmarx Application Security Platform to help CISOs, AppSec teams, and developers address the growing and dynamic security challenges they face.

October 19, 2021

Tasktop announced Affinity Modeling for model-based integration in Tasktop Hub, helping Agile and DevOps software delivery teams reduce time to market and develop software faster.

October 19, 2021

Morpheus Data is continuing released version 5.3.3 targeted at enterprises trying to manage a complex mix of VMware, Kubernetes, and Public Cloud services.

October 19, 2021

Okta announced the availability of Okta Workflows as a standalone offering for all customers.

October 18, 2021

Red Hat announced a series of updates in its portfolio of developer tools and programs aimed at delivering greater productivity, security and scale for developers building applications on Red Hat OpenShift.

October 18, 2021

Pulumi released a public Registry that enables developers and infrastructure teams to apply “share and reuse” software principles to the modern cloud.

October 18, 2021

Fugue announced support for Kubernetes security prior to deployment.

October 18, 2021

Sysdig announced the addition of cloud security monitoring functionality to the Falco open source software project.

October 14, 2021

Red Hat announced the general availability of Red Hat OpenStack Platform 16.2, the latest version of its highly-scalable and agile cloud Infrastructure-as-a-Service (IaaS) platform.