DARPA: Hack Our Hardware

Thanks to Moore’s Law, the number of transistors in our computing devices has doubled every two years, driving continued growth in computer speed and capability. Conversely, Wirth’s Law indicates that software is slowing more rapidly than hardware is advancing. The net result is that both hardware and software are becoming more complex. With this complexity, the number of discovered software vulnerabilities is increasing every year; there were over 17,000 vulnerabilities reported last year alone. We at DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program argue that the solution lies not in software patches but in rethinking hardware architecture.

In March 2020, MITRE released version 4.0 of its Common Weakness Enumerations (CWE) list, which catalogues weaknesses in computer systems. For the first time, it included categories of hardware vulnerabilities. Among them are: Rowhammer; Meltdown/Spectre; CacheOut; and LVI, which are becoming more prevalent. In fact, a reported 70 percent of cyber-attacks are the result of memory safety issues [pdf] such as buffer overflow attacks—a category of software exploit that takes advantage of hardware’s inherent “gullibility.” These software exploitations of hardware vulnerabilities affect not only the computer systems we use at home, work, and in the cloud, but also the embedded computers we are becoming increasingly reliant on within Internet-of-Things (IoT) devices.

As 5G and IoT proliferation sweeps across the planet, businesses and consumers are benefiting greatly from increased connectivity. However, this connectivity is also introducing greater risks and security concerns than ever before. Gartner forecasts that there will be 5.81 billion IoT endpoints this year, and IDC estimates the number of IoT devices will grow to 41.6 billion in 2025. Despite these staggering statistics, IoT is still in its infancy. I liken it to the Wild West, where companies come and go, regulations and standards are undefined, and security is often an afterthought. This lawlessness can have significant consequences, as we saw in 2016 when the Mirai bot-net attacked domain registration service provider, Dyn. The attack exploited IoT devices like home routers, security cameras, and air quality monitors to perform a denial of service attack that prevented users from accessing major internet platforms and services in the United States and Europe.

Today, the security research community is able to identify many of these cyberattacks quickly, and solutions are distributed to patch the exploited software. These solutions are applied the same way a doctor prescribes medicine to treat a disease. As new diseases are discovered, new medicines must be developed and dispensed. Security researchers are similarly developing new software patches to address newly discovered vulnerabilities. We call this the “patch and pray” mentality.

Every time a new software vulnerability that exploits hardware is identified, a new software patch is issued. However, these patches only address the software layer and do not actually “treat” the underlying problem in the hardware, leaving it open to the creation of new exploits. In the medical field, this type of treatment regime is expensive and doesn’t cure the disease. In recent years, physicians have been advocating preventive medicine to treat the root causes of chronic diseases. Similarly, we need to adapt and find a better way to protect our computer systems.

Nowadays, embedded computers use multiple pieces of free software or open source utilities that are maintained and updated by the open source community. Conversely, many such computers—with applications in sectors such as Industry 4.0, medical, and automotive—are rarely if ever provided with updated software. They just continue to run old versions with known vulnerabilities. Even though they may use open source components, this slow update cycle is due to devices needing to be requalified to make sure that any updates to the kernel or drivers do not break the system.

 Requalifying a device is expensive and even more costly when a new version of an operating system is involved. Often this is not even possible, since many companies outsource part or all of the development of their underlying hardware and software platforms in the form of licensed intellectual property (IP). These third-party components are usually licensed for a prebuilt function or as binary blobs and black boxes. The original equipment manufacturer (OEM) cannot modify these proprietary software components without additional licenses.

The net result is that individual third-party IP components are often not updated and only support certain versions of an operating system and software stack, further preventing the device that uses them from being updated. Additionally, the cost of supporting hardware devices is so large that many companies outsource technical support and device management to third-party companies who were not involved with the original development. This provides another barrier to updates; bugs can go unnoticed or unreported back to the development team. It’s also possible that the original team might no longer exist or might have moved on to its next project.

Because of these issues, protection from malware often requires a hardware upgrade. Take, for example, the cell phone market. Updates are often slow or nonexistent if you are not using one of the major brands. The market leaders are able to provide updates because they have tight control of their supply chains and enjoy sales volume sufficient to recoup their costs. Even then, they keep this up for only for a few years before the consumer is forced to upgrade. In between these hardware updates, software updates are employed in the form of the “patch and pray” approach. [READ MORE]