Electronic system security has become an increasingly critical area of concern for the Department of Defense (DoD) and, more broadly, for the security of the United States. Current efforts to secure these systems largely rely on robust software development and integration, utilizing an endless cycle of developing and deploying patches to the software firewall without identifying or addressing the underlying hardware vulnerabilities.
The System Security Integration Through Hardware and Firmware (SSITH) program seeks to break this seemingly endless cycle of vulnerability exploitation and patching. Under the program, researchers are developing hardware security architectures to protect systems against whole classes of hardware vulnerabilities exploited through software, not just individual vulnerability instances. To learn more about the classes of vulnerabilities, visit the Malicious 7 page on the website.
The SSITH researchers are exploring a number of different design approaches that go well beyond patching while minimizing impacts to performance, area, and power consumption. Outlined here are the research teams engaged in the SSITH program and the unique design approaches they are developing:
Lockheed Martin: Parallel Security Co-Processor
The Hardware Architecture Resilience by Design (HARD) approach utilizes a multi-pronged approach to provide a lightweight hardware solution to protect systems against multiple classes of hardware vulnerabilities. Rather than perform “major surgery” on the main CPU pipeline in order to implement new instructions or change the format of a pointer, the HARD approach utilizes a set of pipelines running in parallel to the primary CPU execution pathway to act as a parallel security co-processor, monitoring the main CPU and standing ready to flag any malicious operations. Each pipeline monitors the stream of instructions executing on the main CPU pipeline, deriving the current semantic context based on expected patterns of instructions, and looking for any exploitation attempts. This context-based approach ensures maximum software compatibility.
The HARD approach is especially suitable for System-on-Chip (SoC) implementations used for embedded or dedicated applications, such as automotive or Internet-of-Things (IoT). HARD pipelines can be aggregated to deploy more or less security coverage as needed for the target environment, with attendant savings on power-consumption or performance impact – essentially, you only pay for what you need. In addition, because there is no need for major modifications to the primary CPU, HARD can be easily deployed to enforce security across any CPU architecture.
Massachusetts Institute of Technology (MIT): Compartmentalization Using Enclaves
Enclaves have emerged as a particularly compelling technique to implement trusted execution environments. Enclaves are a way to isolate sensitive user-mode processes in a largely untrusted software environment. While the threat models employed by various enclave systems differ, the high-level guarantees they offer are essentially the same: attestation of an enclave's initial state, as well as a guarantee of enclave integrity and privacy in the presence of an adversary.
The Massachusetts Institute of Technology (MIT) has developed a hardware platform called Sanctum, which includes minimal modifications to a processor to efficiently provide enclaves with strong isolation properties even against a privileged adversary. Sanctum uses a small, privileged security monitor, Sanctorum, which in conjunction with partitioned caches and flushing of shared state on context switches, provides isolation for enclaved processes across either space or time. This allows enclaves to share hardware resources for performance improvements, but ensures that enclave state cannot be impacted by external code in a data-dependent manner either directly or indirectly.
SRI International: Memory Protection and Software Compartmentalization Using Capabilities
First proposed in the 1970s, capability-based protection allows computers to impose fine-grained control access to memory and other resources. The aim of such designs was to support implementation of the principle of least privilege, which dictates that software should able to access only the information and resources that are necessary for the current operation in order to mitigate software faults and exploited vulnerabilities. However, such techniques have, to date, proven impractical for large-scale deployment due to requiring clean-slate software stacks or complex microarchitectures with substantial overheads.
SRI International, in collaboration with the University of Cambridge, has developed CHERI (Capability Hardware Enhanced RISC Instructions) to extend conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. The CHERI memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide strong, compatible, and efficient protection against many current, widely exploited vulnerabilities and exploit techniques – while still running current C/C++-software stacks with little or no modification.
University of Michigan: Encryption with Churn
Instead of attempting (and failing) to find every last vulnerability, the University of Michigan research team is exploring an alternative approach that creates an impenetrable sequence of roadblocks between the attacker and the critical information assets they require to mount an attack, a technique known as an Ensemble of Moving Target Defense (EMTD). To make it difficult for the attacker, EMTD employs multiple composable layers of protections on information assets such that successful penetration of one protection, such as encryption, is met with yet another layer of information protection, such as periodic re-encryption or “churn”.
The Morpheus approach from the University of Michigan, employs a hardware-based encryption scheme for all pointers coupled with other techniques, such as randomized memory layout and pointer representations, to add “entropy” to the system architecture that erects barriers to an attacker. This greatly increases the amount of time needed to break through and obtain access to an exploitable asset, such as a true memory address. Meanwhile, the system periodically churns its encryption keys and random mappings so that exploitable assets are invalidated before the attacker can get close to using them.