Something happened in February of this year that will change the way security of integrated circuits (ASICs), System on Chips (SoCs), and field-programmable gate arrays (FPGAs) are specified, designed, and verified. The MITRE Corporation released version 4.0 of the Common Weakness Enumeration (CWE™) list, and now there is a new list targeting hardware weaknesses.
To understand the impact, we should start first with who the MITRE Corporation is. The MITRE Corp. operates federally funded research and development centers (FFRDCs). FFRDCs are unique organizations that assist the United States government with scientific research, analysis, development, acquisition, systems engineering, and integration. One key MITRE FFRDC has the focus of cyber threat sharing.
Specifically, this FFRDC maintains public lists called the Common Weakness Enumeration (CWE) and Common Vulnerability Exposures (CVE). At its core, the CWE started with software security vulnerabilities and provides a succinct definition for each common weakness type and how best to address and avoid it. Both CWE and CVE have been well established in the software domain for years, providing a valuable guideline and resource for measuring and tracking the effectiveness of products and technologies. Now, with the newly released version 4.0, MITRE has added a new category for hardware security weaknesses. Hardware security weaknesses typically show up in ASIC, SoC, and FPGA designs when they have not been specified correctly…designed with security in mind and verified against specific weakness and vulnerabilities.
Now that there is a list, what changes? Today’s complex systems control, process, and secure information across a broad range of applications from automotive and data centers, to edge computing with most leveraging ASICs, SoCs, or FPGAs. Ensuring these hardware devices do not introduce a cybersecurity vulnerability is paramount to the security of the entire system.
Failure to address security can be a costly mistake, including the impact they may have on consumer confidence, personal privacy, and brand reputation. The existence and exploitation of hardware vulnerabilities can also increase time-to-market; reduce vendor trust; and lead to costly lawsuits, chip recalls, or even loss of life.
Unfortunately, cybersecurity at the hardware level is a relatively new phenomenon. Most companies and design teams lack the resources needed to secure their designs. As a result, hardware security requirements go missing, roots of trusts can be mis-configured, and security testing is manual and limited.
Unfortunately, for team that employ security verification techniques, these do not provide a unified scalable methodology which can be applied during all stages of the hardware development lifecycle.
With the CWE version 4.0, design teams can now add and implement security specifications by leveraging the entire industry’s expertise across the United States government, scientific research, academia, commercial solutions companies, and other mediums. The standardization of common weaknesses also opens the door to automation around specification, design and verification of the weakness.
In the future I expect to see fully integrated flows based on the list allowing all design teams to detect and prevent the ever-growing list of CWEs. An example is companies like Tortuga Logic which provides tools and services targeting hardware security will now be able to target specific CWEs and build more standardize security solutions.
About Tortuga Logic
Founded in 2014, Tortuga Logic is a cybersecurity company that provides industry-leading products and services to address security vulnerabilities overlooked in today's systems. Tortuga Logic's innovative hardware security verification solutions, Radix, enable verification and security teams to detect and prevent system-wide exploits in FPGAs, ASICs and SoC that are otherwise undetectable using current methods of security review. To learn more, visit www.tortugalogic.com or contact firstname.lastname@example.org.