Network World’s Michael Cooney reports that the Defense Advanced Research Projects Agency (DARPA) has expressed interest in adopting a hardware-based approach to cyber security.
Indeed, DARPA has offered preliminary details about a new program dubbed “System Security Integrated Through Hardware and Firmware (SSITH).”
According to Cooney, the program’s goal is to develop new integrated circuit architectures that lack the current software-accessible points of criminal entry, yet retain the computational functions and high-performance integrated circuits were designed to deliver. The program also seeks to develop design tools that would be made widely available to encourage the adoption of hardware-anchored security for both military and civilian systems.
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” SSITH program manager Linton Salmon of the Agency’s Microsystems Technology Office explained in a statement quoted by Network World. “This race against ever more clever cyber intruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”
More specifically, SSITH plans to address seven classes of hardware vulnerabilities detailed in the Common Weakness Enumeration, including permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection. It should be noted that researchers have documented approximately 2800 software breaches that have exploited one or more of the above-mentioned hardware vulnerabilities.
Perhaps not surprisingly, the U.S. Department of Homeland Security (DHS) also recently emphasized the importance of implementing security at the design phase by using hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption.
Building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and cloud services.
In addition to implementing security at the design phase, the DHS recommends device manufacturers promote security updates and vulnerability management. To be sure, even when security is included at the very beginning of the design process, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates and vulnerability management strategies.
Interested in learning more? The full text of “Strategic Principles for Securing the Internet of Things” (PDF) can be download here on the DHS website. Readers can also check out our CryptoManager platform which creates a trusted path from the SoC manufacturing supply chain to downstream service providers with a complete silicon-to-cloud security solution.