Why Do We Need a Standardized Framework to Enumerate Hardware Security Weaknesses?
July 29, 2020

Jason M. Fung
Intel Corporation

Recent studies suggest that 90% of the world's digital data were generated over the last two years alone. As the global community continues to create more and more data, securing them from the reach of unauthorized users continues to be a major challenge. Hardware-based security is widely recognized as a best practice for protecting the confidentiality, integrity and availability of data such as financial transactions, medical records and personal information.

At the same time, today's vulnerability research and attack methods are also becoming more sophisticated, often penetrating past the software layers and compromising the underlying hardware. When not implemented or verified properly, hardware-based security can have its own set of challenges. It is evident that the industry needs a comprehensive understanding of the common hardware security weaknesses and the corresponding secure-by-design best practices, so as to help protect sensitive data that users generate and consume each day.

A key resource for tracking software vulnerabilities today exists in MITRE's Common Weakness Enumeration (CWE) system, which is complemented by the Common Vulnerabilities and Exposures (CVE) system. A simple way to differentiate the two is that CWE includes a taxonomy of common security weakness types and provides different views for a user to traverse different categorical buckets. Whereas the CVE maintains a collection of specific vulnerability instances that have already been found and reported publicly. CWE groups similar CVEs together to facilitate research and analysis.

Essentially, the two systems work hand-in-hand to provide the ultimate vulnerability reference guide. These resources aim to educate architects and developers to identify potential mistakes when designing and developing software products. At the same time, they enable security researchers and tool vendors to pinpoint current gaps, so better tools and methodologies can be offered to automate the detection of common software security issues. But what about hardware vulnerabilities?

Until recently, we have not had any kind of industry-scale, standardized catalogue that captures known hardware security weaknesses in one place. If we expect hardware vendors and their partners to collectively deliver robust security solutions, we need an up-to-date primer where hardware designers can stay current with time-tested best practices and avoid common security pitfalls. Without a common language, it becomes challenging for researchers and practitioners to contribute learnings, exchange information, and share techniques with one another.

As with any broad technological hurdle, it will take the industry working together to drive technological advancements that leapfrog hardware security assurance. Industry leaders have been collaborating with leading standards bodies to develop innovative capabilities and trusted foundations that can be leveraged by the industry. These efforts are gaining momentum.

In fact, a recent example is industry collaboration with MITRE on its brand new Hardware Design View that complements the existing software-oriented security weakness taxonomy with a hardware-oriented counterpart. With the most recent CWE 4.1 release, users are now exposed to almost 60 hardware weaknesses that are commonly overlooked by hardware designers, along with useful information that helps to identify and mitigate these weaknesses.

These are great first steps, but the journey is far from over. "It takes a village to raise a child." Likewise, it takes a community to develop an industry-scale resource. The research community and ecosystem partners across the industry, academia and government must join hands to contribute and build out this new resource. Keeping it comprehensive and up to date will be key to enabling this cumulative, standardized Hardware CWE to offer its many great benefits.

Product Architects and Hardware Designers will gain a deeper understanding of the common security pitfalls, allowing them to avoid making similar mistakes when creating solutions. Verification Engineers will be more fluent in common security mistakes and how they can be effectively detected at various stages of the product development lifecycle. This will enable them to devise proper verification plan and test strategies for improving the security robustness of products.

Additionally, Security Architects will focus their energy more efficiently on systemic issues and work to identify effective mitigations that help eliminate risks or make exploitation much more difficult for attackers.

An established, growing Hardware CWE will also allow Electronic Design Automation (EDA) Vendors to prioritize and expand their tool features and offerings, which will better enable hardware designers to avoid the introduction of common vulnerabilities. In addition, the comprehensive primer will provide data and insights for constructing proper benchmarks that enable Enterprises to objectively compare the capabilities of different EDA tool options, allowing them to identify the right ones that meet their specific needs.

Furthermore, Educators will draw learnings from the latest collection of common hardware weaknesses to develop training materials and secure-by-design best practices that focus on the most relevant areas of concern, so university curriculum and corporate trainings can help audiences gain the critical skills they need.

And finally, a more established public database of hardware issues will help Security Researchers to leverage a common taxonomy to communicate without ambiguities, facilitating learning exchange, systematic study and collaboration, while making the field more accessible for aspiring researchers.

Today, categorizing hardware vulnerabilities, understanding their root causes, and deriving mitigation strategies can feel like an endless battle. Creating a common taxonomy for discussing, documenting and sharing hardware security weaknesses has become paramount. As hardware vulnerabilities continue to get more complex and challenging to address, we must continue to invest in the research, tooling and resources needed to properly catalog and evaluate hardware vulnerabilities with the same urgency and scope we do for software threats.

MITRE's new Hardware CWE is a fantastic initial step upon which security researchers and the broader industry can build to enable practitioners to speak in the same language as they strive to deliver hardware solutions that are safe and secure for people to entrust with their data.

Jason M. Fung is Offensive Security Research Manager at Intel Corporation
Share this

Industry News

January 14, 2021

Oracle is making its popular APEX low-code development platform available as a managed cloud service that developers can use to build data-driven enterprise applications quickly and easily.

January 14, 2021

Parasoft announced its C/C++test update to support IAR Systems' build tools for Linux for Arm.

January 14, 2021

Harness raised $115 million in financing, reaching a valuation of $1.7 billion in just three years after launching from stealth.

January 13, 2021

Slim.ai launched with its cloud-based DevOps automation platform built specifically for software developers.

January 13, 2021

WhiteSource announced new WhiteSource Advise support for JetBrains' PyCharm and WebStorm integrated development environments (IDEs).

January 12, 2021

Red Hat has added new features to Red Hat Runtimes.

January 11, 2021

KubeSphere announced its expanded relationship with AWS to offer KubeSphere as an AWS Quick Start.

January 07, 2021

Red Hat announced its intent to acquire StackRox

January 07, 2021

Cigniti Technologies announced a partnership with Sonatype to help enterprise customers innovate faster and easily mitigate security risk inherent in open source.

January 07, 2021

Lacework announced a $525 million growth round with a valuation of over $1 billion.

January 06, 2021

BMC announced several new capabilities and enhancements for the BMC Automated Mainframe Intelligence (AMI) and Compuware portfolios that enable BMC mainframe customers to protect uptime and availability, defend the mainframe against cybersecurity threats, and advance enterprise DevOps.

January 06, 2021

Sysdig has achieved Service Organization Control (SOC) 2 Type II compliance for the Sysdig Secure DevOps Platform.

January 05, 2021

Allegro AI announced a rebranding of its key product Allegro Trains as ClearML.

January 05, 2021

Acryl unveiled a pilot service for Jonathan, an integrated AI platform that can be used in a variety of industries with a spectrum of users from non-experts to professional developers.

January 05, 2021

Weaveworks announced a $36.65 million Series C funding round.