Patching Hardware Vulnerabilities Is Harder than You May Think
Friday, May 18, 2018, 7:00pm
by John Neuffer, President and CEO
If you unlocked your smart phone right now, how many of your apps would need updating? Patches and updates are a regular part of our connected lives. But imagine if every update required you to work with the app maker, phone service provider, phone manufacturer, phone operating system provider, and the dozen or so semiconductor companies that make the electronics in your phone to figure out how to patch the app on your uniquely configured device.
Addressing hardware vulnerabilities requires just this kind of broad collaboration across a huge range of unique environments, usually without the same direct access to end-users that app and software developers enjoy. With all the complexity involved in creating and distributing mitigations for hardware vulnerabilities, it is no surprise the time to develop updates in this arena can be more than the three months usually given to software companies to create fixes.
The big point here is that semiconductor companies that make the brains behind all our modern electronics often face a more challenging situation.
While you might think all processors are the same, semiconductor companies make a range of products for use across a wide variety of applications – from data centers to tablets, smartphones, and more. Further, within any given processor “family” there can be dozens of different types with unique features and capabilities. All depend on uniquely tailored operating code – known as microcode – that translates what computer software is designed to do into digital instructions that can actually be implemented on the microchips inside. Turning the taps and swipes in your smartphone app into the movement of electrons in microchips that will, for example, result in a purchase order at an online store or money transfer request with your bank requires the complex interplay between software, microcode, and the physical chips.
When a hardware vulnerability is discovered, semiconductor companies must work with companies across the supply chain to understand that whole system – from the silicon chip to the microcode all the way up to the software.
In accordance with the usual protocol established under voluntary industry standards and in the best interest of consumers and businesses, cybersecurity researchers who find hardware vulnerabilities often coordinate with semiconductor companies that make affected components on a timeframe for disclosing that vulnerability to the public. The existing standards and practices, known as coordinated vulnerability disclosure, say that unless people are known to be actively exploiting a vulnerability, it should not be disclosed publicly until a patch is ready to be deployed.
Current coordinated vulnerability disclosure policies were developed with a focus on software vulnerabilities and generally advise up to a 90-day default period to develop and distribute a patch before public disclosure, but the policies recognize that one size does not fit all. The bigger goal, after all, is to protect systems from attack, not necessarily speedy disclosure for its own sake. For particularly complicated vulnerabilities, such as those discovered in hardware, longer timeframes should be considered. Recent experiences suggest in certain instances, it can take more than 90 days for semiconductor companies to work with all the necessary parties and develop well-tested patches that work across the diverse computing environments in which their chips operate.
As the cybersecurity world turns increasing attention toward potential hardware vulnerabilities, it’s important that expectations and best practices specific to these complex challenges are considered. Unfortunately, rigidly applying existing standard software public disclosure deadlines to semiconductor vulnerabilities, without consideration for the unique challenges that industry faces, can ultimately put users at risk by limiting the opportunity for the most effective mitigations to be developed and deployed before public disclosure occurs.
Several SIA members have already begun working with others to better understand the state of hardware vulnerability disclosures in today’s evolving environment and to explore enhanced, voluntary best practices for coordinated disclosure related to the semiconductor industry. And SIA has called for increased federal funding for research in a number of areas, including research to advance the design and manufacture of trusted and secure hardware. In the interim, while that important work proceeds, cybersecurity researchers should strongly consider working closely with the semiconductor industry to evaluate appropriate disclosure timelines that take into consideration the unique circumstances of their research and the mitigations. Security in our ever-more-connected world depends on it.