The professionals who work to uncover security vulnerabilities in hardware must find a “common language” for categorizing them in order to make important strides in securing those systems, according to chipmaking giant Intel Corp.
Hardware researchers “do not have the same standard taxonomy that would enable them to share information and techniques with one another,” Intel researchers Jason Fung, Arun Kanuparthi and Hareesh Khattri argued in an op-ed published this week on Help Net Security, an information security website.
“If we expect hardware vendors and their partners to collectively deliver more secure solutions, we must have a common language for discussing hardware security vulnerabilities,” Fung, Kanuparthi and Khattri wrote.
At issue is the Common Weakness Enumeration (CWE) system, a list that is used as a yardstick on which to map Common Vulnerabilities and Exposures (CVE). CVEs are more familiar to security researchers as signposts for potential threats, and they’re a notch in the belt to those who discover them. Both programs are run by the federally-funded, not-for-profit MITRE Corp.
The CWE only covers software, though, so the Intel researchers argue that the list should be expanded to include the potential consequences of hardware weaknesses and the methods that organizations can use to detect such vulnerabilities.
The Intel proposal is essentially an outgrowth of efforts that took root in January 2018, when researchers revealed Spectre and Meltdown, two vulnerabilities that affected virtually all modern computer chips. As a result, there are more concerted efforts to improve the hardware vulnerability disclosure process and more specialists actually hunting for hardware-related flaws.
There are also “hardware-centric weakness” involving the physical properties of hardware devices — things like temperature and voltage — that the CWE ignores, the researchers said. (Last month brought a reminder of that when researchers revealed that hackers could subvert the security of an Intel chip by altering the its power supply).
Art Manion, an expert on vulnerability disclosure employed by the Computer Emergency Response Team program at Carnegie Mellon University’s Software Engineering Institute, said the proposal to expand the CWE model to cover hardware issues makes sense.
“Perhaps CWE would expand its scope beyond software, and hardware weaknesses could become a slice of CWE?” Manion told CyberScoop in an email.
Manion pointed out that what some people refer to as pure “hardware” vulnerabilities are actually issues with firmware, or code embedded on a device.
“CVE can be [and has been] used to identify hardware vulnerabilities,” he said, pointing out that many of the vulnerabilities involving Meltdown and Spectre have CVE numbers. “So there shouldn’t be any changes necessary to CVE to support hardware vulnerabilities.”
Joe FitzPatrick, an instructor and researcher at SecuringHardware.com, a training site, said that the Common Vulnerability Scoring System (CVSS), which is used to score the severity of tech flaws, could also be improved by considering the varying impact of physical access for different devices.
A hacker could, for example, create very different effects with physical access to a hardware security module, which performs key cryptographic operations, compared to a run-of-the-mill IoT device, he said.
“Hardware threats are underrated because the CVSS doesn’t consider that different hardware has different protection expectations,” he added.