SAN FRANCISCO--Modern computers and mobile devices consist mainly of flashy hardware packages with some not-so-flashy software running the show behind the scenes. But it’s that software that historically has gotten most of the attention from security researchers. That’s beginning to change, ever so slowly, and a team of researchers at the University of North Carolina is working to accelerate that shift.
Led by Cynthia Sturton, an assistant professor in the department of computer science, the UNC team has been looking at ways to use automation to not only find more hardware security flaws and develop exploits for them, but also to identify the security critical properties of a given hardware design. The group has developed a pair of tools specifically for these tasks and is releasing one of them in the hopes of spurring more interest in hardware security research.
"We are lagging behind in hardware security research. For the most part manual review is largely how security validation is done. We know hardware is large and complex and created by people writing thousands of lines of code and there are bugs in that code. Hardware security needs to catch up,” Sturton said during a talk at the USENIX Enigma conference here Monday.
The hardware research deficit is not an accident. There are plenty of good reasons for the disparity between the software and hardware branches of research, not the least of which is the fact that most people learn about computers initially through software. Software development and programming are also far more widely taught in high school and college than anything on the hardware side is, and software also is easier to mess with and analyze.
Hardware is hard. And manufacturers can make it even more difficult for researchers, with specifications and design documents that are hard to find and parse. But security vulnerabilities in hardware are neither rare nor new, and they can be more difficult to fix and more damaging than software bugs in some cases. The Spectre and Meltdown vulnerabilities in many processors are prime examples. The bugs are buried deep within the processors and while exploitation of these vulnerabilities is difficult, it’s not impossible, and the fixes for the bugs have been slow in coming. Researchers have continued to discover more variants of those side-channel attacks, too, and there probably are more coming.
Side-channel attacks are among the few classes of hardware-based vulnerabilities that are widely understood and researched. Sturton said there are many other common bug classes in hardware that need the same kind of attention that side-channel flaws have garnered recently.
“While Spectre and Meltdown made headlines, they’re not the only vulnerabilities in hardware designs,” she said.
Those bugs aren’t just in the hardware itself. They often exist first in the specifications written by the vendor, so Sturton and her team built a tool that digs through hardware specifications looking for security critical properties of the design. The specification miner is semi-automated and Sturton said it has broad application for researchers.
“The cool thing about this work is that we can take lessons we learned from one hardware design and apply them to other designs,” she said.
“While Spectre and Meltdown made headlines, they’re not the only vulnerabilities in hardware designs."
The second tool the UNC group developed has the ability to take a given hardware design, along with some security critical properties, as input and then not only find vulnerabilities, but also generate full exploits for them automatically. Called Coppelia, the tool is available on GitHub and uses a method called symbolic execution to find and trigger potential security issues.
“Within the software security community, symbolic execution is a powerful technique for automatically generating test cases to trigger security vulnerabilities. It has a reputation for relative ease of use, and we believe it can be brought to the same level of utility and usability for hardware designs. The use of software-style symbolic execution for hardware designs has been proposed before, but not yet fully developed,” the UNC group’s research paper on Coppelia says.
Sturton’s team took a set of 31 known bugs in a given hardware design and ran Coppelia against the design to see how many of those flaws it would identify. The tool discovered 29 of the 31 bugs, and one of the two it didn’t find was outside of the processor core and not visible to Coppelia. The tool also found four new vulnerabilities in the hardware design and was able to generate exploits for all of the identified bugs.
The software security research community is pretty large and grows by the day, and Sturton said she hopes that the hardware community will begin to expand accordingly.
“We’ve only begun to scratch the surface of what’s needed and possible to secure hardware. We need to build a community of folks working on security hardware validation and show people how it’s done,” she said.