The attacks on modern computer systems have become more pervasive and sophisticated. These attacks often progress past the software layer and compromise hardware. As a response, the industry has been working to deliver micro-architectural improvements and implementing hardware-based security, which is widely recognized as a best practice. However, hardware-based security has its own set of challenges when not designed, implemented or verified properly.
The sophisticated attacks on computer systems have highlighted the need for a better and more in-depth understanding of the common hardware security vulnerabilities taxonomy. Information on how these vulnerabilities are introduced into products, how they can be exploited, and their associated risks are needed. In addition, information on the best practices to prevent and identify the vulnerabilities early on in the product development lifecycle is the need of the hour.
A key resource for tracking software vulnerabilities exists in MITRE’s Common Weakness Enumeration (CWE) system, which is also complemented by the Common Vulnerability and Exposures (CVE) system. The two systems work hand-in-hand to provide architects, developers, security researchers, and tool vendors, the ultimate vulnerability reference guide.
However, it is felt that there is a need to enhance CWE to include relevant entry points, common consequences, examples, countermeasures, and detection methods from the hardware perspective. Furthermore, hardware-centric weaknesses that are related to the physical properties of hardware devices are yet to be categorized.
Due to these missing reference materials for hardware vulnerabilities in the CWE, researchers do not have the same standard taxonomy that would enable them to share information and techniques. Having a common language for discussing hardware security vulnerabilities will help hardware vendors and their partners to deliver more secure solutions.
A standardized hardware CWE will benefit the stakeholders in multiple ways. For instance, product architects and designers could gain a deeper understanding of the common hardware security pitfalls. This would allow them to avoid repeating mistakes when creating solutions.
As the industry moves forward to combat the latest threats, it is vital to invest in research, tooling and the proper resources to catalog and evaluate both software and hardware vulnerabilities. Therefore, it is important to create a common taxonomy for discussing, documenting and sharing hardware-based threats.
Click here to read the original article published in Help Net Security.
Please give your feedback on this article or share a similar story for publishing by clicking here.
