Modern hardware needs lot of attention, and measurable security!

Semiconductor Industry Association (SIA), USA, organized a webinar on decadal plans for semiconductors: measurable ICT security and privacy, today. Falan Yinug, Director, Industry Statistics and Economic Policy, Semiconductor Industry Association, said providing ICT security and privacy is a particular challenge. The edge node connectivity increases, and threats continue to evolve.

Richard Chow, University Research Manager and Scientist, Intel Corp. said the decadal plan for semiconductors is a 150-page report developed by Semiconductor Research Corp. (SRC). It has five chapters: analog electronics, communications, energy, memory and storage, and security and privacy. Today, vulnerabilities are increasing. There is the National Vulnerability Database (NVD) from National Institute of Standards and Technology (NIST). We need to keep an eye on the metrics.

The first is cryptography. Next is fully homomorphic encryption (FHE), a much talked about computation. Quantum computing has meant metrics can change, thus making it hard for attackers. There are autonomous systems, as well. Recovery is also important, after an attack. You need to get to a safe state quickly. Modern hardware today needs lot of attention. There may be subtle issues in microelectronics. Software security is much better than hardware. Yet another area of importance is IoT. There may also be some complex systems to deal with. Complexity is the enemy of security.

Edge computing has been growing very quickly. Trust is a major issue for service providers. Trustworthiness of AI is also a problem. Neural networks are the black boxes with no explanations for their decisions. There are attacks on ML pipeline in all phases — training set, adversarial, and model. Security goes hand-in-hand with all fields of computing. Deep learning turned big around 2012. People also started looking at adversarial scenarios. Bitcoin begun in 2009, and papers were written by 2012. However, it was hard to predict what can happen, back in 2010.

Measurable security
There was a panel discussion, with the participants being Hugo Vincent, Lead Security Research Architect, ARM Research, Prof. Thorsten Holz, Faculty of Electrical Engineering and Information Technology, Ruhr-University, Bochum, Ms. Pardis Emami-Naeini, Postdoctoral Scholar, School of Computer Science, University of Washington, and Dr. Josiah Dykstra, Subject Matter Expert in Cyber security, National Security Agency’s Cyber Security Collaboration Center.

Prof. Thorsten Holz, Ruhr-University, presented on the measurable security. Intelligent adversaries can think out-of-the-box. There have been cross-layer attacks. Many types of defenses can be by-passed. Measuring the security of the system changes after every attack. We need to estimate and predict the next unknown attacks. We need to anticipate all future attacks. There is the digital arms race. In crypto, the community has moved further. We need to do lot more things. We need to measure security. The EU is also working on security metrics. There may be cyber insurances coming up. Opportunity for insurance industry are high. They came up with some metrics.

Dr. Josiah Dykstra, National Security Agency’s Cyber Security Collaboration Center, felt we need to be more secure. There needs to be measurable ICT security and privacy. There are existing areas of work, such as science of security and science of privacy, exploit prediction scoring system (EPSS), and workshop on economics of information security (WEIS).

There are five hard problems facing us. These are scalability and composability, policy-governed secure collaboration, security metrics-driven evaluation, design, development, and deployment, resilient architectures, and understanding and accounting for human behavior. We need to separate security from compliance. How much security/privacy is the rational amount? How much risk management is right amount? There needs to be composable security and emergent properties.

Hugo Vincent, ARM Research added we need better measurement. Security is bad, and improving slowly. Consumers like simple metrics. Market dynamics can drive improvement. Engineers may sacrifice security for simplicity and performance. Memory safety issues remain dominant. We need to measure what matters!

Today, the threat model is specific to product, and relates to the whole system. Formal verification is a gold standard. But, automated tools are lacking. Caution is needed around assumptions. Even formally verified security mechanisms have failed after exposure to the real world. Certifications are useful for forcing security-aware development process. We can measure that a binary is identical, as we move it around. You can combine secure boot-style flow and hardware isolation mechanisms to allow remote parties to bootstrap trust in a system. Remote attestation is central concept of confidential compute.

Ms. Pardis Emami-Naeini, University of Washington, noted privacy or security information is generally not available at the point-of-sale. They designed the first version of the IoT label. Almost all wanted to know the security and privacy, and are willing to pay a premium for such information. Policymakers are also excited about IoT labels, such as those in England, Finland, Singapore, and USA.

They designed a layered label. It has a primary layer and a secondary layer. It can also accommodate companies updating their security and privacy practices. Labels help consumers find more information, and work for consumers and experts. She showed some impact of the attributes. There is a misconception that no updates could mean a device is secure. That is not true!

Ms. Debra Delise, GM, Security Center of Excellence, Analog Devices, was the moderator.