Jothy Rosenberg is a serial entrepreneur, founding nine different startups since 1988, two of which sold for over $100M. Currently, he’s the Founder & CEO of Dover Microsystems, the first oversight system company. Earlier in his career, Jothy ran Borland’s Languages division where he managed languages like Delphi, C++, and JBuilder. He earned his BA in Mathematics from Kalamazoo College and his Ph.D. in Computer Science from Duke University (where he started his career as a professor of Computer Science).
Jothy has written three technical books, but his pride and joy is his memoir, Who Says I Can’t; it tells his inspiring story of using extreme sports to regain self-esteem after losing one of his legs and a lung to cancer, as a teenager. Bearing the same name as his memoir, Jothy founded and runs The Who Says I Can’t Foundation, a non-profit organization with a mission to help disabled individuals get back into sports. He also created and hosted the Who Says I Can’t TV series on YouTube and is TEDx speaker.
What’s the backstory behind Dover Microsystems?
While Dover Microsystems may have been founded in 2017, the core components of our CoreGuard® technology have been in development since 2010. CoreGuard started as a DARPA CRASH program proposal, submitted by Dover’s Chief Scientist, Greg Sullivan, who became the Principal Investigator, assisted by me.
This CRASH program was created in direct response to the infamous Stuxnet attack—the first cyberattack to prove you could create something in the digital world and use it to cause physical destruction, half a world away. Dover was the largest component of DARPA’s CRASH program, being awarded $25M of the total $100M amount.
With the funds we won from that program, we were able to turn our proposal into a reality over the next five years. After that, we searched for a place to incubate this basic research and turn it into a viable company. This landed us at Draper, a nonprofit engineering services company, before ultimately spinning out in 2017.
What problem is Dover Microsystems addressing?
There are two critical problems that Dover is addressing. The first issue was created back in 1945—the Von Neumann architecture. Processors are still based on this architecture, today, and it’s designed to simply execute instructions as quickly as possible. But, it has no way to determine whether an instruction is good or bad.
The second problem was identified fifty years later by Steve McConnell in his book Code Complete, and it only exacerbates the issue of the Von Neumann architecture. McConnell found that all complex software inevitably contains bugs. He found on average there are 15-50 bugs per 1,000 lines of source code, and according to the FBI approximately 2% of those bugs are exploitable. That means, in a Ford F150 truck, which contains 150 million lines of code, there are potentially 45,000 different ways to take over the vehicle or steal private data.
Historically, companies have relied on building defensive software around networks and applications to protect embedded systems. However, this “solution” isn’t a solution at all. Rather than securing the system, this approach can potentially increase a system’s vulnerability by adding yet another layer of inherently flawed software.
The cybersecurity problem needs to be addressed at the root cause: the attacker’s ability to take over the processor in the first place. Dover’s CoreGuard IP is hardwired directly into the silicon, next to the host processor. It acts as an oversight system, monitoring every instruction, at every layer of the software stack, to ensure it complies with a set of security, safety, and privacy rules. These rules are designed to prevent the exploitation of entire classes of software vulnerabilities. Thus, with CoreGuard, processors can determine whether an instruction is good or bad, and they are no longer vulnerable to 94% of network-based attacks due to the inherently flawed software they run.
Cybersecurity is arguably an oversaturated market. What sets Dover apart?
Two things. First, our solution is enforced in hardware (not software) enabling it to keep up with the host processor and preventing it from being compromised over the network. Second, we focus on protecting against the exploitation of entire classes of software vulnerabilities, not just specific vulnerabilities. Let’s take buffer overflows as an example—there are over 24,000 individual buffer overflow vulnerabilities recorded in MITRE’s CVE database and new ones are being discovered every day. In fact, the recent zero-day bug for which Apple had to issue a security patch was a buffer overflow vulnerability in their OS. CoreGuard protects against all buffer overflows, including zero-days. That means if the buffer overflow was discovered yesterday, today, or ten years from now, CoreGuard would stop it, no patches or updates necessary.
What kind of cyberattack trends are you seeing? What should we be worried about?
We’re seeing an uptick in attacks on critical infrastructure, like the attack on the water treatment facility in Florida and the Colonial pipeline attack from earlier this year. Obviously, this is really concerning from a health and safety standpoint. Similarly, we need to be concerned about AI and machine learning. Increasingly, AI and ML capabilities are being adopted into our embedded systems, which offers a lot of incredible benefits. However, it also comes with potentially dangerous consequences. Late last year, we hosted a webinar and published a white paper on this topic, highlighting the biggest threats to AI & ML systems and how CoreGuard can help protect against them.
What applications are the best fit for your technology?
Of course, we believe every embedded system can benefit from CoreGuard’s level of protection—from the IoT to medical devices to fintech to aerospace and defense. And from a technical standpoint, CoreGuard is compatible with any RISC-based processor, including Arm, MIPs, ARC, Tensilica, and RISC-V.
In terms of specific applications, we’ve seen particular interest from the Industrial IoT market, where embedded systems operate side-by-side with people on a factory floor, and a successful cyberattack could be life-threatening. We’ve also seen a lot of interest in automotive functional safety, as well as military and defense applications. In fact, we just recently won a contract to work with the Air Force Nuclear Weapons Center to provide hardware-based enforcement of the correct operation of safety-critical systems. And of course, semiconductor manufacturers are very interested in our technology, with NXP being our first publicly announced customer.
Where can someone go to learn more about CoreGuard?
You can always visit our website to learn more about CoreGuard. We also update our blog frequently and post about things like recent cyberattacks and trends we see in cybersecurity. If you’d like to see CoreGuard in action, you can also request a live demo.
Also Read:Share this post via: