Security news that informs and inspires

New Process Needed for Disclosing Hardware Flaws

SAN FRANCISCO--The revelation of the Spectre and Meltdown processor flaws earlier this year changed the way many people thought about how low-level flaws could be exploited, and one of the researchers who discovered Meltdown hopes it will end up leading to a change in the way that hardware vulnerabilities are handled and disclosed.

Spectre and Meltdown are a pair of weaknesses in the way that some processors handle speculative execution, and can enable attacks that break the barriers between applications. The flaws are buried deep in the microcode of the processors and are not simple to exploit or to patch. Paul Kocher, a cryptographer and security researcher, was one of the researchers who discovered the Spectre flaw, and he and others worked with the affected manufacturers before disclosing the bugs publicly.

However, word about the vulnerabilities began to leak out before the planned disclosure date, a relatively common occurrence in the security world. But with bugs of this magnitude that affect many vendors and platforms, leaks can be dangerous. Kocher would like to see a formal process established for disclosing hardware bugs, something like what exists for software flaws.

“The disclosure process isn’t established. Who should know about the bug? Who can fix a hardware problem? We need a road map of what to do,” Kocher said during the cryptographers’ panel at the RSA Conference here Tuesday.

“In the case of Spectre, more people were told than could keep a secret and press leaks started to happen. You don’t want to be in a situation where attackers have enough information to launch attacks but defenders don’t have enough information to defend themselves.”

The disclosure process for software vulnerabilities has been in place in one form or another for decades. Researchers can report bugs to an independent organization such as the CERT/CC or report them directly to affected vendors. Many software companies have dedicated teams that deal with security response and have established methods for working with researchers and disclosing vulnerabilities. But those programs are much less common in the hardware world right now.

“There’s a pretty large amount of work to be done. We have a giant problem on that side,” Kocher said.

Patching vulnerabilities like Spectre and Meltdown can be quite difficult too, even for the manufacturers who built the devices. That sometimes leads to further problems.

“I’m worried we will get to the point where we have millions of microprocessors that are bricked with patches and patches of patches,” said Adi Shamir, one of the inventors of the RSA encryption algorithm. “If you play around with the microcode, there’s a possibility you might have a huge disaster.”