We are seeing more vulnerabilities than ever before as modern computer systems become more complex and interconnected. As attacks become more omnipresent and sophisticated they often advance past the software layer and compromise hardware. The industry has worked to deliver microarchitectural improvements as a response and today, implementation of hardware-based security is widely recognized as best practice.
Hardware-based security, however, has its own set of challenges when not properly designed, implemented, or checked. Combined with the fact that we are seeing increasingly sophisticated methods of harnessing hardware by chaining them with software vulnerabilities, it is evident that the industry needs a better and deeper understanding of common hardware security vulnerabilities taxonomy, including information on how these vulnerabilities are introduced into products, how they can be exploited,
MITRE's Common Weakness Enumeration (CWE) system today contains a key resource for tracking software vulnerabilities, which is also complemented by the Common Vulnerability and Exposures (CVE) system.
A simple way of differentiating the two is that CWE includes a taxonomy of common vulnerability types and provides different views for a user to traverse different categorical buckets, while the CVE maintains a list of specific vulnerability instances that have already been found and reported publicly. Usually multiple CVEs are mapped to different CWE's. Essentially, the two systems work hand in hand to provide the ultimate reference guide to vulnerability. These resources aim to educate architects and developers when designing and developing software products to identify potential mistakes. At the same time, they allow security researchers and vendors of tools to identify current gaps, so they can offer better tools and methodologies to automate the detection of common security issues in software.
With the growing awareness of hardware vulnerabilities, the CWE could be expanded from the specific hardware perspective to include relevant entry points, common consequences, examples, countermeasures and detection methods. In addition, there are hardware-centric weaknesses related to the physical properties of hardware devices (e.g., temperature, voltage gaps, current, wear out, interference, and more) that are not yet categorized by the CWE.
Because of these lack of reference materials in the CWE for hardware vulnerabilities, researchers do not have the same standard taxonomy that would allow them to share
Tags : common,