News, news analysis, and commentary on the latest trends in cybersecurity technology.
ISAs and the Dawning Hardware Security Revolution
Instruction set architecture extensions are moving the cybersecurity fight from the software to the hardware layer.
The eternal cat-and-mouse game pitting IT security improvements against evolving attacker exploits is usually framed as an arms race of rising software sophistication. Security teams implement firewall software, antivirus protection, data encryption, multifactor authentication, access controls, intrusion detection and mitigation tools, and data backup systems to better neutralize and recover from ransomware lockdowns. Conversely, the bad guys develop more subtle exploits that can pass undetected, from trickier malware schemes, such as spear-phishing attacks, to ransomware that lies in wait to pass into air-gapped backup systems before it strikes.
The game advances, and, for most of the discussion, software is the battlefield. However, those limited parameters miss a fast-arriving hardware security revolution.
Emerging technologies in the hardware security space — namely, advanced instruction set architecture (ISA) extensions — are positioned to make game-changing contributions to the IT security repertoire. Security safeguards imposed at the hardware level, the foundation upon which all malware and software-based security operate, have the unique power to pull the rug out from under attack strategies, denying nefarious applications access to exploits or even the ability to run in the first place.
ISAs Are Fundamental to IT Security
Before discussing specific new developments in hardware-based security, here's a brief history lesson. While less discussed, security protections on the hardware side of the ledger are commonplace and have long been foundational to IT security.
ISAs are fundamental to the design of computer processors, specifying the set of instructions that a CPU can execute. Some ISAs are capable of encryption and memory protection instructions. Security experts are certainly familiar with hardware-based encryption methods that prevent unauthorized access to hard drives and network data. The Trusted Platform Module (TPM) is a well-established hardware security standard that safeguards against tampering and compromise at bootup, as is Secure Boot. These security measures may currently protect the hardware you're using.
The x86 ISA is a powerful ally for security teams securing Intel-based machines. Arm, offering the most-used family of ISAs globally, has provided ISA security features in its low-overhead processors that have made it the leader in ISAs protecting phones, tablets, and other mobile devices.
Looking at more recent history, RISC-V is a free, open source ISA released in 2015. It has quickly grown in adoption for its flexibility in enabling new applications and research. RISC-V is seen as the most prominent challenger to the dominance of x86 and Arm due to its open source nature and breakneck growth.
The ISA Future Is Promising
Emerging new ISA extensions leveraging open source technologies show exciting potential to revolutionize IT security practices and enable game-changing security strategies for developer teams. One example is Capability Hardware Enhanced RISC Instructions (CHERI), a hardware-based security research project developing ISAs that include CHERI Arm and CHERI RISC-V. Led by the University of Cambridge and SRI International, CHERI-enhanced ISAs take the unique approach of controlling memory access via hardware-enforced bounds and permissions while retaining compatibility with existing software. The project also offers CheriBSD, which adapts the open source operating system FreeBSD to support CHERI ISA security features, including software compartmentalization and memory safeguards.
CHERI's possibilities are best illustrated by its most advanced prototype to date: the Morello platform from Arm, a system-on-chip and development board that combines CheriBSD and a high-performance core. The Morello platform can provide software developers with a fully memory-safe desktop environment. Efforts to standardize CHERI for the open source RISC-V ISA are underway and will leverage existing FPGA implementations for RISC-V. In a signal of the vast promise of CHERI-driven hardware-based security strategies, Google, Microsoft, and other major players have partnered with the project and actively contribute to research on the Morello platform and CHERI-RISC-V.
Why are CHERI and other emerging ISA solutions so potentially revolutionary? Protecting against memory safety vulnerabilities, such as Log4j, from system apps written in C/C++ is a top priority globally, which has a long history of known memory exploits. Rewriting millions of apps is cost-prohibitive, and what is needed is a better way to protect users.
This is where new hardware-based security mechanisms like CHERI come in. These could render organizations immune to broad swaths of attacks and software vulnerabilities. Systems leveraging CHERI could prevent any attack that focuses on memory exploits, such as buffer overflows and use-after-free vulnerabilities. The high-performance compartmentalization provided by emerging ISAs also grants security teams a powerful tool for securing access to sensitive data and protecting it from attackers. Further, CHERI researchers have demonstrated a full memory-safe desktop application stack built on FreeBSD that requires only minimal software adaptation.
Open Source Drives IT Security Forward
The increasing complexity and sophistication of modern attack techniques all but demands a revolution in IT security capabilities. Emerging technologies offer that opportunity in the form of new security strategies that wield comprehensive, balanced software and hardware protections.
The collaborative power of open source is an essential engine behind this revolution, accelerating progress on projects through contributions from across the IT and security community. Going forward, organizations that reinforce their security postures with a thoughtful assembly of advanced ISA hardware-based security and compatible software-based security tools will achieve the best outcomes.
About the Author
You May Also Like