Is Hardware More Secure Than Software?
Total Page:16
File Type:pdf, Size:1020Kb
Is Hardware More Secure than Software? Lianying Zhao Carleton University David Lie University of Toronto Abstract—Computer hardware is usually perceived as more secure than software. However, recent trends lead us to reexamine this belief. We draw attention to the “firmwarization” of hardware and argue for revisiting the role of hardware and software in systems security. TRADITIONALLY, computer systems can be quick search on Google Scholar returns at least thought of as composed of two types of compo- 1,750 academic papers with the title containing nents: hardware and software. Hardware refers to both “hardware” and “security” as of the time the physical components that perform a fixed set of writing. While this is a conservative under- of operations. Software on the other hand, defines approximation of the actual number of such pa- logical components, instantiated as data and in- pers (as it only checks the title), and regardless structions, which can specify arbitrary sequences of whether these papers propose a larger role of hardware operations, as well as inputs to those of hardware in security, or seek to examine the operations. A function can be implemented using vulnerability of hardware to security attacks, the a various mixes of hardware and software compo- sheer number informally illustrates that the se- nents (or even entirely in hardware). The mix of curity community has a strong interest in the hardware and software can have implications on relationship between computer hardware and se- certain properties of the function implementation curity. Another recent trend is the implementation (e.g., performance or security). of hardware mechanisms to address well-known Hardware Security. Hardware has been deemed security problems. For instance, a survey [8] lists to be the safeguard for security-sensitive op- 21 hardware-based architectures to ensure control erations for decades. This is reflected in the flow integrity (CFI, the correct flow of execution longstanding use of hardware security modules of a program). This implies that there is an (HSMs, such as the tamper-evident/resistant IBM underlying belief that hardware implementations Cryptocards) for cryptoprocessing, as well as the correlate well with better security properties in more recent interest in securing sensitive tasks computing computing systems. with trusted computing technologies like Intel SGX and ARM TrustZone. The Perceived Security Benefits of In academia, hardware security has also at- Hardware tracted significant attention from researchers. A We begin by examining where this belief in the security benefits of hardware may have The final version of this article will appear in the special originated. Intuitively, one may assume that the issue Hardware-Assisted Security of IEEE Security & Privacy. This is the author’s copy created on June 27th, 2020. DOI: feeling of security may naturally stem from the 10.1109/MSEC.2020.2994827 c 2020 IEEE. possession and physical existence of hardware. IEEE Security & Privacy, to appear (accepted: May 2020) Special Issue: Hardware-Assisted Security 1 Hardware switches provide visible assurance of done if hardware is compromised or defective—a operation integrity, e.g., a state is set and its state hardware switch in a circuit may be maliciously remains unambiguously obvious. Similarly, users changed from off to on, but not reprogrammed can be confident that they possess and are in to be something else substantially different. By control of information and capabilities inherent in contrast, software generally runs on a Turing- detachable devices like USB dongles and drives. complete execution engine (e.g., the CPU), which Hardware components on first examination, ap- can be programmed to do something far from the pear simpler and more restricted in function intended functionality of the original software. than many software components. Components, So if compromised or defective, software may like hard drives store data and little else, while intrinsically give an attacker access to the Turing- keyboards provide a means to input information complete environment where arbitrary functions and commands. Indeed, the physical nature of can be performed. hardware means that defects in hardware are not We define privilege as the ability to observe as easily fixed after they are shipped to customers, and control the operations of another component. driving hardware designers to be more conser- This definition has a subtle difference from the vative and thoughtful in their designs. All these software definition of privilege (i.e. kernel vs properties contribute to an overall feeling of better user) as higher-privilege software generally is security and assurance in hardware over software. capable of a super-set of operations over lower- However, if we set aside assumptions about privilege software. However, the privilege of the conscientiousness of hardware and software hardware over software is different in that hard- designers, as well as possible mental biases to- ware and software are not capable of the same set wards physical versus logical components, and of operations. Yet, where it is comparable is that instead focus on the functional properties that dis- the additional operations that privileged software tinguish hardware and software implementations has usually include the ability to control (i.e. from a security perspective, we can contemplate start, stop and interrupt), as well as observe (read two that appear to stand out: 1) immutability and and write) the execution state of unprivileged 2) privilege. software. In the same way, hardware making up We define immutability as the ability of a the execution engine of software, has the same function’s properties to resist being changed from ability to control and observe the state of any those in their original intended design. Being software it runs. physically implemented in circuits and transistors, Modern computers all share the layered con- hardware has an “intrinsic” immutability, to it— struction starting from the hardware/firmware, the functions implemented in hardware cannot be VM hypervisor, operating system (OS), to ap- simply changed by altering some bits in memory. plications (see Figure1). A hypervisor is secure If an attacker wants to modify the function of against the OS kernel, which in turn is secure hardware, they must physically change it, imply- against applications. Hardware sits at the most ing the need for physical access to the victim. privileged position in this stack, and as such is This is comforting, as physical changes have a naturally secured against vulnerabilities in and at- higher chance of being tamper-evident. tacks coming from the lower-privileged software Such immutability can also be considered a layers. benefit of the fact that hardware does not need to implement a “Turing machine”. Hardware has Hardware, Firmware, and Software an inherent bias towards the “Economy of Mech- So far we have discussed a high-level ab- anism” [10]—because hardware has a physical stract model of computing system implementa- existence, there is a penalty for extra or unused tion where all components are all either entirely functionality, so there is a strong incentive to hardware or software. However, as the reader may avoid it. Therefore, hardware logic often imple- have guessed, the view of computing systems pro- ments just enough functionality to execute pre- moted by this article is not so simple. There actu- scribed tasks without enabling arbitrary opera- ally, exists a third, hybrid, type of implementation tions. This naturally limits the damage that can be for computational functions called “firmware”. 2 IEEE Security & Privacy, to appear (accepted: May 2020) applies. Even in that case, the compromised hard- ware remains immutable, e.g., hardware Trojans APP1 APP2 APP3 ... APPn inserted by the designer or manufacturer usually cannot be removed by firmware/software. Privilege: Also previously defined, privilege Operating System indicates the ability of a higher-privileged com- Hypervisor ponent to observe and control the execution of a lower-privileged component. Because all software Firmware must execute on hardware, hardware inherently Microcode has higher-privilege than firmware or software. However, it is often the case that firmware exists . on the hardware side of the hardware-software Immutable hardware interface, and as such has privileges over software such as the OS kernel or applications. Thus, we order privileges with hardware at the top, “Code” Perceived hardware firmware in the middle, and, finally, software at the bottom. Figure 1. The layered construction of a computing Efficiency: Efficiency defines how much per- device, and what is commonly considered as hard- formance an implementation provides as a func- ware. tion of some resource (electrical power for ex- ample). Hardware implementations are generally The term firmware has existed almost as long as more power efficient than software, and provide computer hardware has, first coined by Ascher better performance for similar power consump- Opler [4] in the 1960s. Firmware shares some tion. While both firmware and software are less properties with software, in that it is implemented efficient than pure hardware blocks, firmware of- as software instructions that execute on a general ten executes closer to the hardware, and may have purpose, Turing-complete hardware processor. access to special hardware functions or facilities To better understand hardware, firmware and that may make it more efficient than software.