FICS Research Leads the Way in Hardware Security

 

Meltdown and Spectre bugs highlight importance of field

Hardware security made news in the worst way possible last month with the announcement that two CPU bugs, nicknamed Spectre and Meltdown, leave virtually every modern computer, smartphone, tablet and PC vulnerable to malicious attack. According to Google’s Security Blog,

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

Hardware bugs like Spectre and Meltdown are extremely difficult to fix as they are the result of vulnerabilities ‘baked in’ to the processors themselves. Although firmware updates are possible to mitigate some hardware level bugs, the hardware (logic, memory, and interconnects) is basically static and immutable after fabrication. In other words, vulnerabilities like these cannot really be fixed until a new processor is designed, released, and installed. That process could take years, depending on the complexity of the chip.

Meltdown and Spectre attacks exploit “speculative execution,” used by modern processors for better performance. In layman’s terms, excessive CPU cycles are needed to determine which parts of a code to execute. Instead of waiting idly for the result, the system predicts which part of the code to execute and only waits to commit to the final results. If the prediction is correct (usually the case), the results are committed and the time that would have been wasted has been put to good use. If the prediction is incorrect, then the correct code is executed and the only penalty is the time which would have been wasted anyway. In this manner, speculative execution is a win-win for performance. However, speculative execution can provide hackers with “side information” which can be exploited to gain privileged and sensitive information about data and control flow. Meltdown also illustrates that the way “speculative execution” is implemented in hardware determines if there is an added security vulnerability.

The bottom line? Research and education will be critical in overcoming hardware vulnerabilities like Spectre and Meltdown. Experts predict that more vulnerabilities like these will continue to exist or be revealed, as the speed boost provided by speculative execution is too significant—companies won’t want to remove the process unless the speed loss can be mitigated in other ways. Many experts are of the opinion that Spectre and Meltdown provide the ‘kick in the pants’ that moves government and industry into a new paradigm of hardware design and developing a comprehensive, coherent strategy to radically improve hardware security practices.

FICS Research to the Rescue

Bugs and vulnerabilities such as these highlight the critical importance of the work being done at the University of Florida, specifically at the Florida Institute for Cybersecurity (FICS) Research. Established to be the nation’s premier multidisciplinary research institute in the advancement of cybersecurity, FICS Research boasts world-class facilities and preeminent faculty, all dedicated to advancing knowledge and technologies in this emerging field.

Prior to the creation of the Institute, Herbert Wertheim College of Engineering Dean Cammy Abernathy and ECE chair John Harris saw the need to position the University of Florida as a global leader in hardware security, IoT security, cybersecurity, and cryptography. With the creation of the Institute and several key hires, that leadership came to fruition. The University of Florida intends to stay at the forefront of these areas, as they are sure to become more and more critical to national security and identity theft prevention.

FICS Researchers are currently working collectively to address security issues at all types of hardware as well as hardware at all levels – from nanoscale devices to chips to circuit boards to systems (e.g. automotives, implants, wearables). FICS researchers are working to identify new vulnerabilities in hardware – e.g. leakage of sensitive information, hardware piracy, and Trojan attacks in hardware. Institute researchers empower hardware manufacturers to make secure and trusted ‘systems’ comprised of complex layers of hardware and software which will protect vulnerable users. Hardware systems and system security targets all parties involved in a product life cycle—from manufacturers to end-users.

FICS Research members are actively working on initiatives related to Spectre and Meltown, showing their global expertise in the field.

Sandip Ray and Swarup Bhunia are working on patchable hardware, frameworks, and architectures that are more mutable than existing hardware architectures, and enable seamless and disciplined correction of security vulnerabilities in-field.

Mark Tehranipoor, Domenic Forte, Swarup Bhunia, and Yier Jin are working on Design Security Rule Check, recommending frameworks and tools that analyze hardware designs through all levels of abstraction.

Yier Jin is working on hardware-assisted cybersecurity solutions with specific emphasis on the area of microarchitectural security. His paper, entitled HAFIX: Hardware-Assisted Flow Integrity Extension, won the best paper award at the Design Automation Conference (DAC’15) and another paper on microarchitectural side-channels was published in Network and Distributed System Security Symposium (NDSS’18).

Daniela Oliveira and Yier Jin are working on  REVELARE – a hardware-supported dynamic information flow tracking (DIFT) framework to enhance IoT security and forensics.

Prabhat Mishra is working on developing formal verification techniques coupled with robust architectural primitives to avoid such attacks in the future.

Courses

In addition, many ECE courses are delving into this critical area of research:

Course Course Name Instructor
EEE 4714/5716 Introduction to Hardware Security and Trust Tehranipoor
EEL 4853/5855 Cross Layered System Security Oliveira
EEL 5934 Hardware Security Lab* Bhunia
EEL 6935 Advanced Hardware Security and Trust Forte
EEL 6935 Cybersecurity Case Studies Bhunia
EEL 6935 Physical Attacks and Inspection of Electronics Asadi

* Uses a hardware hacking board developed in-house, to train students in the course about ethical hacking. Students receive this board in the mail and work with it remotely.

Who are the Core FICS Research Faculty in ECE?

Faculty Research Interests
Mark Tehranipoor
Intel Charles E. Young Endowed Chair Professor in Cybersecurity
Hardware security and trust, IoT security, electronics supply chain security, and reliable and testable VLSI design
Homepage
Publications
  Swarup Bhunia
Professor, Director of Education
Hardware and systems security, food and medicine safety, adaptive and energy-efficient computing, wearable and implantable systems
Homepage
Publications
Navid Asadi
Assistant Professor
Hardware security, Reverse engineering, 3D imaging and image processing, Failure analysis, Sensors, Thermal barrier coatings
Homepage
Domenic Forte

Assistant Professor

Hardware security and trust, Anti-reverse engineering, Anti-tamper, Digital VLSI/CAD, and Biometric systems
Yier Jin
Associate Professor and IoT Term Professor
Embedded Systems, IoT Design and Security, High Performance Computing Security
Homepage
Prabhat Mishra

University of Florida Term Professor, CISE (with joint appointment in ECE)

Embedded and cyber-physical systems, energy-aware computing, hardware security and trust, system-on-chip verification, bioinformatics, and post-silicon validation and debug.

Homepage

Daniela Oliveira

IoT Term Professor
Associate Professor

Interdisciplinary computer security and operating systems
Homepage
Sandip Ray

Endowed IoT Term Professor

Trustworthy computing; Synthesis, architecture, system design, security, prototyping, and verification; Hardware/firmware/software codesign; Design-for-resilience; Post-silicon readiness and validation streamlining for System-on-Chip designs.

Homepage

Damon Woodard
Associate Professor
Biometrics and identity science; pattern recognition and machine learning; image and signal analysis; computer vision applied to counterfeit detection and reverse engineering
Homepage

Spectre and Meltdown will continue to be big news for months and years to come; expect UF and FICS Research to remain at the forefront.