There is a race for the security of our computers. It has been going on for years. Attackers, who seek to compromise systems and the defenders who struggle to protect them, are all heading toward the same finish line, the core hardware components. In the computers we rely on every day, the core is the hardware itself, consisting of components like the processors, logic systems, and physical memory. These are the hearts and brains of our beloved systems. If we look at the entire technology stack, the users sit at the top and hardware is the foundation at the bottom. Applications interact with users above and rest on top of operating systems. Operating systems function with the firmware below, which is the interface to the hardware at the bottom of the stack. The hardware does all the actual computation while everything above is a dynamic web of instructions, rules, and data to be processed. Together, these layers represent structure by which all modern computer systems operate and each layer can be attacked.
The history of significant computer compromises has a repeating pattern. Original attacks targeted the very users who operated the systems. People can be manipulated into revealing information and unknowingly assist their attackers. These methods were time consuming, relying on the slow interaction of the targeted people, and needed refined communication skills to be truly effective. Defenders began to establish processes and protocols for users. Coupled with training, it made people less susceptible to exploitation.
Such barriers created limitations at the people level and attackers soon expanded to the insecure applications in the software layer. They went further down the stack, bypassing the savvy users and moving into an environment which moved much faster and required less influencing skills. This was innovative and up to this point, application writers paid little attention to coding securely. Attackers found countless numbers of vulnerabilities to exploit. The defenders responded over time by designing software to have more security, thus making it more difficult for attackers to find weaknesses.
So they evolved again, went lower in the stack, and opened another front. They targeted the operating systems, which applications rely on for structure and view with authority. Again, due to poor coding the attackers found great initial success in taking control of operating systems and therefore undermine most of the security controls protecting the applications. OS vendors, adopting the lessons of application writers, responded with better coding, quality assurance testing, and regular patch updates to secure their products.
Today, we have attacks targeting people, applications, and operating systems. But the cycle continues. Attackers keep going lower, leading the charge beyond the operating systems to gain access and control of our computer systems. Next up is the firmware and eventually the hardware.
Security researchers, system hackers, and malware writers are diving lower in the stack. The closer you get to the core, the more power you possess. Stealth can be attained from layers above, system control, and the breadth of access grows. Pervasiveness becomes an interesting ally as once a flaw is detected, it becomes much more problematic to fix. The trade-off is firmware and hardware hacking is more difficult, requiring significant technical understanding, but more research is being focused on the areas by the industry. Every year the community grows to support the flood of new technology demanded by consumers. More tools are being developed to look, test, dissect, analyze, challenge, and compromise the lower domains. Organized, highly talented, and well-funded groups of researchers and hackers will lead the way. The “writing is on the wall”. The battle is getting lower and will eventually target the core. It is just a matter of time.
The core must be defended rigorously and preparation is imperative if the defenders are to win. Security service providers and the designers of hardware/firmware must work together. System architects and engineers have the home-field advantage. They must learn and apply the lessons of the application and OS coders now, before they are surprised. Security principles must be applied from the beginning of the design process. Added security features, both passive and active, need to be intertwined into products to assist security providers. Quality assurance is more important than ever and it is inevitable that some weaknesses will eventually be found. The team must be ready to respond to address exploits, something which is much more difficult at the core, requiring creative solutions embedded in advance.
Whoever can control the core first wins the race. We must win. The security of our computers hangs in the balance.