Security has been a domain blessed with an abundance of methods to improve in various ways, not so much in methods to measure the effectiveness of those improvements. With the best will in the world, absent an agreed security measurement, all those improvement techniques still add up to “trust me, our baby monitor camera is really secure.” Software security has made some progress on this front, as we’ll see. Hardware not so much. That’s a problem. Where’s the UL seal of security approval or something of that nature?
Now there’s hope that will change. The MITRE corporation has released its first documented taxonomy for Common Weakness Enumeration (CWE) in hardware design.
A little background first. MITRE is a not-for-profit organization charged with managing federally funded R&D centers supporting a number of government agencies. Among their well-known contributions is their development and maintenance of a list of Common Vulnerabilities and Exposures, which documents known cybersecurity vulnerabilities. For example, the recent Meltdown attack has CVE-2017-5754 and Spectre has CVE-2017-5753 and CVE-2017-5715.
MITRE also maintains a related CWE list, which until recently only concerned itself with software weaknesses. For example, you can find buffer overflow weaknesses in this list. The software CWE is very well developed at this point, so much so that there are now over 100 products (including Synopsys’ Coverity) which analyze software for CWE weaknesses.
Intel has a very sophisticated security team (they’re a very big target for attacks) and have been working with MITRE for a while now to develop an equivalent weaknesses list for hardware design. Tortuga Logic has worked with Intel and were invited to contribute weaknesses they had found using their Radix software. So now what you’ll find in this starting list is a combination of Intel wisdom on what they know to be common weaknesses, plus Tortuga Logic wisdom on additional weaknesses they have found.
That’s a pretty darn impressive accomplishment for Tortuga Logic. This CWE list for hardware is likely to follow the same path as the list for software, becoming a definitive standard for best practices in hardware design for security. Even more important, Tortuga Logic Radix-* software is already setup to find many or most of these weaknesses.
Where will this lead over time? First, just as for software CWE, we should expect the list to grow over time. MITRE has a formal process to review and approve new submissions. I don’t imagine designers will want to check through each weakness one at a time in a security signoff (there are already ~840 weaknesses documented). Hardware security tools will be essential.
Second, where is this going in terms of enforcement versus defacto adoption? Jason Oberg (CEO of Tortuga Logic) doesn’t yet see any kind of enforcement, though I suspect government agencies and particularly the DoD will expect vendors to demonstrate they are clean.
Along those lines it is worth noting that the National Institute for Standards and Technology (NIST) has adopted CWE in their cybersecurity framework. It’s perhaps too early to talk about that also including the just-released hardware component, but it’s difficult to see why it wouldn’t ultimately be incorporated.
So unless you are going to ignore government business or build separate hardware for the government, get ready to have to prove CWE compliance at some point. And when the commercial industry is looking around for a security standard on which to hang its hat, I would guess the MITRE CWE will look like a pretty good place to start.