As 5G and IoT proliferation sweep across the planet, businesses and consumers are benefiting greatly from increased connectivity. However, this connectivity is also introducing greater risks and security concerns than ever before. As the Military and civilian technological systems, from fighter aircraft to networked household appliances, are becoming ever more dependent upon software systems, they are also becoming more vulnerable to hackers and electronic intruders. Electronic system security has become an increasingly critical area of concern for the DoD and the broader U.S. population. Attacks might include exploitable software bugs, the most common vulnerability, or hardware leaks, physical attacks, logical attacks, and remote and localized attacks.
Current efforts to provide electronic security largely rely on robust software development and integration. Software security development environments, methodologies, and verification have been extensively analyzed and documented; however, current security measures remain inadequate. The threats from compromised hardware or supply chains have also become prominent.
Thanks to Moore’s Law, the number of transistors in our computing devices has doubled every two years, driving continued growth in computer speed and capability. Conversely, Wirth’s Law indicates that software is slowing more rapidly than hardware is advancing. The net result is that both hardware and software are becoming more complex. With this complexity, the number of discovered software vulnerabilities is increasing every year; there were over 17,000 vulnerabilities reported last year alone.
Newly identified vulnerabilities such as Spectre, Meltdown, Foreshadow and Spoiler have shown that problems such as side-channel attacks also exist in hardware designs and that there are likely many more vulnerabilities in current solutions from hardware vendors.
In March 2020, MITRE released version 4.0 of its Common Weakness Enumerations (CWE) list, which catalogues weaknesses in computer systems. For the first time, it included categories of hardware vulnerabilities. Among them are: Rowhammer; Meltdown/Spectre; CacheOut; and LVI, which are becoming more prevalent. In fact, a reported 70 percent of cyber-attacks are the result of memory safety issues [pdf] such as buffer overflow attacks—a category of software exploit that takes advantage of hardware’s inherent “gullibility.
Nowadays, embedded computers use multiple pieces of free software or open source utilities that are maintained and updated by the open source community. Conversely, many such computers—with applications in sectors such as Industry 4.0, medical, and automotive—are rarely if ever provided with updated software. They just continue to run old versions with known vulnerabilities. Even though they may use open source components, this slow update cycle is due to devices needing to be requalified to make sure that any updates to the kernel or drivers do not break the system.
Earlier, an internal report of J-2 intelligence directorate pointed to the risks from Lenovo computers and handheld devices that could introduce compromised hardware into the Defense Department supply chain, posing cyber espionage risks. One official said Lenovo equipment in the past was detected as “beaconing”—covertly communicating with remote users in the course of cyber intelligence-gathering. About 27 percent of Lenovo Group Ltd. is owned by the Chinese Academy of Science, a government research institute.
The military is high on the list for most nation-states, compromising another nation’s military through cyber actions that often cannot be traced back to the attacker. Financial institutions also are at the top of the list, as are industrial-control systems for water and power networks, because a successful cyber-attack there could have a devastating real-world impact.
In 2017, DARPA launched the SSITH program to create novel hardware defenses that can thwart the most common software exploitations of hardware vulnerabilities. DARPA launched Security Integrated Through Hardware and firmware (SSITH) program with aim to develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software in DoD and commercial electronic systems.
Present responses to hardware vulnerability attacks typically consist of developing and deploying patches to the software firewall without addressing the underlying hardware vulnerability. As a result, while a specific attack or vulnerability instance is defeated, creative programmers can develop new methods to exploit software access to the remaining hardware vulnerability and a continuous cycle of exploitation, patching, and subsequent exploitation ensues. Software patches can never ensure complete security if there is hardware vulnerability. A new approach is necessary to break this cycle of hardware vulnerability exploitation.
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” said SSITH program manager Linton Salmon of the Agency’s Microsystems Technology Office. “This race against ever more clever cyber intruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.
SSITH is developing hardware security architectures to protect systems against entire classes of the hardware vulnerabilities that these software exploits attack.
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.
Already a member? Log in here
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.