Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Friday April 14 2017, @07:20PM   Printer-friendly
from the hardware-ng dept.

DARPA wants to eliminate seven classes of hardware vulnerabilities (warning, contains cyberjargon):

Military and civilian technological systems, from fighter aircraft to networked household appliances, are becoming ever more dependent upon software systems inherently vulnerable to electronic intruders. To meet its mission of preventing technological surprise and increasing national security, DARPA has advanced a number of technologies to make software more secure. But what if hardware could be recruited to do a bigger share of that work? That's the question DARPA's new System Security Integrated Through Hardware and Firmware (SSITH) program aims to answer.

[...] SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration (cwe.mitre.org), a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses, Salmon said, and you would effectively close down more than 40% of the software doors intruders now have available to them.

The strategic challenge for participants in the SSITH program will be to develop new integrated circuit (IC) architectures that lack the current software-accessible points of illicit entry, yet retain the computational functions and high-performance the ICs were designed to deliver. Another goal of the program is the development of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of ICs in both Defense Department and commercial electronic systems. The anticipated 39-month program centers on two technical areas. One of them focuses on the development and demonstration of hardware architectures that protect against one or more of the seven vulnerability classes as well as design tools the electronics community would need for including hardware-based security innovations in their design and manufacturing practices. The second technical area encompasses methodologies and metrics for measuring (and representing for system designers) the security status of the newly designed electronic systems and any tradeoffs the hardware-won security might levy in the form of system performance, power needs and efficiency, circuit area, and other standard circuit features.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by anubi on Saturday April 15 2017, @07:25AM (4 children)

    by anubi (2828) on Saturday April 15 2017, @07:25AM (#494328) Journal

    I stopped trusting my hardware when they started putting BIOS into flash.

    Remember when the IBM AT Technical Reference actually had a copy of the BIOS source code in it ( all in assembler, no less! )?

    As well as the electrical schematics of every circuit board in the machine?

    I was sure hoping that would be the "way things are done" for a long time. The machine was absolutely deterministic. I knew exactly what that machine was going to do. Conversely, how to instruct it to do exactly what I wanted it to do.

    For me, it was usually controlling some industrial device... mostly in C++, with device drivers I wrote in assembler.

    Thanks to all that crazy intellectual property law, copyright, patent, whatever, everyone holds themselves harmless and does whatever they want in the machine.

    I can't even trust a damn phone anymore.

    The days of trusting my machine still exist for me only in the world of the Arduino and Propeller.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2) by kaszz on Saturday April 15 2017, @11:59AM (2 children)

    by kaszz (4211) on Saturday April 15 2017, @11:59AM (#494371) Journal

    What model was the last one PC-x86 machine that had their full schematic and source code published?

    Btw, C++ has a lot of overloading and background stuff going on. Not so deterministic.

    • (Score: 1) by anubi on Saturday April 15 2017, @12:25PM (1 child)

      by anubi (2828) on Saturday April 15 2017, @12:25PM (#494378) Journal

      The IBM PC-AT (286) was the last one I remember having the schematic and the BIOS code for.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 2) by kaszz on Saturday April 15 2017, @01:12PM

        by kaszz (4211) on Saturday April 15 2017, @01:12PM (#494389) Journal

        What do you think of FPGA security wise?

  • (Score: 2) by kaszz on Saturday April 15 2017, @12:01PM

    by kaszz (4211) on Saturday April 15 2017, @12:01PM (#494372) Journal

    Oh, btw.. phones can be dealt with by installing another OS and reverse engineering.