How to Effectively Utilize Hardware CWEs Across your Organization

How to Effectively Utilize Hardware CWEs Across your Organization

The CWE/CAPEC Program partners with organizations around the world to further the program’s mission and objectives. The views and opinions expressed do not necessarily state or reflect those of the CWE/CAPEC Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CWE/CAPEC Program of the product, process, or service, or its producer or provider.

We are pleased to welcome one of our key partners, Tortuga Logic, which has composed this posting and provided the picture for our blog.

What is a Hardware CWE?

The Common Weakness Enumeration (CWE) has been effective at guiding more secure software design and analysis for over 10 years. While software security continued to become more established during this time, hardware security was unfortunately lagging behind. Since the introduction of CWEs for software, there has been a significant increase in hardware vulnerabilities according to the National Vulnerability Database (NVD). As a result, the hardware and semiconductor industry began to become increasingly aware that they were greatly in need of similar solutions to help design more secure hardware. In response, MITRE, in collaboration with industry leaders including Intel and Tortuga Logic, released a taxonomy focused specifically on hardware in February 2020.

Since its inception, the hardware CWE initiative has gained significant traction by classifying approximately 100 hardware weaknesses to date, creating a monthly Hardware CWE Special Interest Group (SIG) meeting, and establishing a list of the Most Important Hardware Weaknesses in October 2021.

While it’s promising to see the adoption and support of hardware CWE growing every month, many organizations are still unsure how to effectively apply CWEs across their organizations to realize the most value.

How can Hardware CWE be effectively applied in semiconductor organizations?

Through our collaborative security work with our customers, we have identified two effective ways that hardware CWE can be applied to enable higher levels of security assurance throughout semiconductor organizations.

1. As a Security Metric

CWE is an invaluable security metric. We see organizations starting to adopt a weakness-focused approach to their overall security program to help quantify assurance for their products. This follows a general process of:

1. Defining a Threat Model: Start by identifying the relevant threats for the products being developed. This helps level-set the threats that are in scope and those that are not and helps bound the number of security requirements for the product.
2. Specifying Security Requirements and Associated CWEs: Create compact security requirements based on the threat model and use CWE as an essential guide throughout this process. For hardware, we advocate for creating security requirements centered around design assets since it makes security requirements significantly easier to verify. With the association of CWEs, organizations can have quantifiable assurance that they have addressed any known weaknesses for their product.
3. Verifying Security Requirements Throughout the Design Cycle: With the help of CWEs and asset-based security requirements, concise verification environments can be created to effectively verify the security requirements. Tortuga Logic’s Radix products serve as a good solution due to its ability to succinctly map security requirements and CWEs to Radix’s Security Rules and the ease of integration into the existing semiconductor design flows.
4. Demonstrating Quantitative Security Sign-off: As a final step, all CWEs that are within the scope of the threat model can be enumerated to ensure proper coverage by the security requirements and test plan to facilitate a security sign-off. This enables quantitative evidence that all known weaknesses within the scope of the organization’s threat model are effectively covered and addressed.

2. As a Root Cause Weaknesses for CVE Numbering Authorities

The second application of CWEs is its use as part of the vulnerability disclosure process. A CVE Numbering Authority (CNA) is an organization responsible for assigning a CVE number to disclosed vulnerability in a product. As of this blog, there are 215 CNA partners around the world varying from open-source projects to large organizations.

Most large enterprises operate their own CNA for their products. Stated differently, they take on the responsibility of conducting the public disclosure process for vulnerabilities found in their products and assigning a CVE number. For example, NVIDIA, Intel, Qualcomm, Samsung, Apple, Microsoft, Google, and many others are listed as addressing vulnerabilities for their products.

Through the vulnerability disclosure process, the CNAs are responsible for identifying the root cause weakness (CWEs) to help articulate what the attacker utilized to be successful in exploiting the vulnerability and it provides the foundation for helping quantify the pervasiveness of certain weaknesses. With the introduction of hardware CWE, we see industry leaders becoming more effective at helping classify the root cause of vulnerabilities to specific hardware weaknesses which is something they were unable to do in the past. This trend will dramatically help organizations understand the most common hardware weaknesses for their products and design better mitigations to address them going forward.

Takeaways

While hardware CWE is still in its infancy, the amount of adoption and traction in the industry is very encouraging. We continue to see adoption of hardware CWEs across the industry for both an invaluable security metric and for enabling a more quantitative vulnerability disclosure process and see no indication that that momentum is slowing down. I encourage readers of this blog to get involved in the hardware CWE initiative by participating in the Hardware CWE Special Interest Group or one of the other special interest and working groups focused on improving the overall CWE program. To learn more about our Radix technology and how we can help, please visit our website.

– Jason Oberg, Co-Founder and CTO of Tortuga Logic

Have a topic you would like to share about CWE/CAPEC? Please contact us at capec@mitre.org or cwe@mitre.org!