5 Changes Coming to Hardware Security
By Roger Lam
The Spectre and Meltdown hardware flaws announced in January 2018 were a wakeup call about the fundamental security faults affecting nearly every modern computer chip. After years of focusing almost exclusively on software-related cybersecurity issues, IT teams came face to face with the reality that hackers could gain access to data previously believed to be securely stored in program memory. Suddenly a whole new threat category reared its head, along with a whole new level of worry about how to plug the holes.
In short order, chip manufacturers and other providers ranging from Intel, ARM, AMD and NVIDIA to Linux developers and Microsoft began releasing software and firmware patches to address the defects. In some cases, however, the cure was almost as bad as the disease with reports of crippling application slowdowns and the need for multiple system reboots. New vulnerabilities using similar chip-based attack vectors were also discovered, reinforcing hardware security concerns.
Over the next year, Intel established a broad blueprint for proactively beefing up hardware protections. Those initiatives, described in a company editorial posted on January 2, 2019, ranged from setting up special security working groups to releasing microcode updates for more than nine years of Intel products, changing the company’s CPU architecture, and increasing collaboration with security and academic researchers to identify chipset vulnerabilities before hackers have an opportunity to exploit them.
Intel’s roadmap is just one example of the new attention being paid to hardware security. Here are some additional changes we can expect from the industry at large to help keep chip-based data breaches at bay.
1 – More signed firmware. Tier 1 server suppliers like HPE and Dell began protecting their newer-generation systems with signed firmware several years ago. Board manufacturers followed suit. Wider adoption of this cryptographic signature can now be expected by both board and white box suppliers to verify that non-compromised firmware is present on the system.
2 – Backflash prevention. With rising recognition that firmware can be used as an attack vector, the days of backward firmware compatibility are numbered. Motherboard manufacturers have begun to implement backflash prevention technology to block rollbacks to older BIOS and firmware versions lacking the latest security enhancements. The same strategy will be used by other component suppliers to reduce risk throughout the hardware ecosystem.
3 – More frequent BIOS and BMC firmware updates. New concerns over hardware security will also prompt component manufacturers to shorten the interval between new BIOS updates and firmware releases on the baseboard management controller (BMC) in order to deploy vulnerability fixes. Staying current with patches will be essential to avoiding production interruptions. Intel, in fact, has announced plans for quarterly microcode updates that will be delivered through operating system refreshes like Windows Update where possible.
4 – Increased supply chain oversight. Technology companies and their customers will increasingly demand proof of supply chain security at every step of the manufacturing process, from the raw component level to fully assembled and delivered systems. This is already happening at MBX Systems, where ISVs and OEMs using MBX’s custom hardware manufacturing services began inquiring about sources of component supply shortly after hardware vulnerabilities began making headlines last year.
5 – New security assurance programs. Faced with escalating customer anxiety over hardware security, system manufacturers and integrators will begin to offer hardware security services such as hardware threat assessment, vulnerability risk management, and active firmware monitoring services to find gaps in firmware security and ensure that only secured firmware reaches the end user.
Clearly, the industry recognizes that vigilance is required to harden hardware security. Strategies are sure to evolve as new vulnerabilities are discovered, but the focus on reducing CPU-related risk is here to stay. We can all thank the security researchers who identified the Spectre and Meltdown flaws for that.
Roger Lam is Director of Engineering at MBX Systems (www.mbx.com), a custom computing hardware manufacturer backed by an ecosystem of software, services and experts for technology companies that deliver complex products on turnkey hardware.