Designing hardware with security in mind
Wenjie Xiong, a Commonwealth Cyber Initiative Fellow, addresses cybersecurity gaps by designing attack-resilient hardware.
In modern computing devices, performance is king — often at the expense of security.
In general, hardware and software designs prioritize speed and efficiency. Commonwealth Cyber Initiative Faculty Fellow Wenjie Xiong is investigating ways to ensure that manufacturers don’t cut corners when it comes to protecting data.
Xiong’s research goals dovetail with the Commonwealth Cyber Initiative’s mission to promote cybersecurity in Virginia. The initiative’s faculty fellow program supports Virginia Tech departments in their efforts to recruit talented cybersecurity researchers like Xiong, who joined the Bradley Department of Electrical and Computer Engineering in January 2022.
While Xiong’s work addresses security gaps throughout computing design, she focuses on hardware. She fielded some questions about defending against cyberattacks from the physical side of computing devices.
Why is hardware security important?
Software and hardware are the two components of computing in our digital world. Software runs on hardware — phones, tablets, and computers. We want our data to be secure on both levels. If security is compromised in software, people have the ability to update it. But it’s much harder to update hardware. In fact, oftentimes you will have to get a new device. We focus on designing hardware with security in mind.
How do you approach secure hardware design?
Before we start designing secure hardware, we need to understand the “attack surface,” which means where and how a system is vulnerable. Once we know what could go wrong, we can fix it. In my lab, we typically analyze current designs and propose either a modification or integrate new hardware modules to enhance security while still prioritizing performance.
How do you explore the attack surfaces?
We tap into the mindset of the most advanced attacker and conduct both software and hardware analysis. Today's hardware is optimized for performance and many resources are shared for efficiency. Today, you are probably running multiple applications on your computer, and an attacker could learn meaningful information from the shared hardware resources.
We’re also investigating physical attacks, for instance, an attacker might glitch the supply voltage or the processor clock to sabotage the system output. Or an attacker could use a probe to measure how much power a device is consuming to learn valuable information. ... It’s actually pretty effective, and there are commercial products available [to do that] for about $500.
Why would someone do that?
Talented attackers can use these methods to gain access to personal information like usernames and passwords.
Do you have an example of a hardware attack?
About five years ago, researchers discovered a malware called Spectre that had been running on processors for up to three decades. Everyone is affected. This malware takes advantage of a vulnerability rooted in the features of modern processor design. We can’t disable those features because we need them for performance. This makes mitigation really hard.
What do you suggest we do?
We need better ways to analyze the design to understand the vulnerability. In addition to using our expertise to conduct security analysis, my recent work involves developing tools leveraging machine learning to automatically analyze how the hardware is vulnerable. We’re also exploring how to use machine learning tools, not only to find and analyze attacks, but also to mitigate them.
The Commonwealth Cyber Initiative Southwest Virginia Faculty Fellowship program advances Virginia as a global leader in secure cyberphysical systems by supporting recruitment of talented cybersecurity researchers in our region.