[Editor’s Note: This post is the first in a series of micro-blogs over four consecutive days.]
0-day security exploits are attacks that use vulnerabilities that are unknown to a vendor. They are referred to as 0-days because the vendor knows about them for zero days before the attack. This post is about the rise of 0-day exploits that utilize hardware vulnerabilities, i.e., vulnerabilities in the ISA, microarchitecture, circuit or device, to break systems. A prominent recent example of a hardware 0-day is a security attack based on the DRAM “row hammer” reliability problem [ROWHAMMER].
We know a few things about software 0-days: software vulnerabilities that can be turned in robust exploits are hard to find, but once discovered they can be converted into a reliable exploit within a few weeks of the discovery. The chances two different entities discovering the same software 0-day vulnerability is low (roughly 5%), and the average lifetime for a 0-day is roughly 6.5 years [RAND, SIPA]. There are wide range of prices for 0-days from a few thousand dollars to millions.[ZERODIUM].
My view is that software 0-days will become even harder to find and/or exploit going forward. This is not only because of the recent unprecedented leaks of software 0-days [LAWFARE] but also due to improvements in software security (including hardware support for software security) as evidenced by the increasing complexity of software attacks.
Hardware 0-day exploits are likely to be even harder to find and exploit compared to software 0-days. Hardware validation is more thorough than software which leaves fewer bugs for attackers to exploit in shipped products. But a hardware 0-day vulnerability/exploit is a non-zero probability event that carries very bad exposure to risk to both the users and vendors because of the difficulty of finding and/or distributing a mitigation: just imagine the danger from an unpatchable hardware 0-day vulnerability in chips used in cars or banks.
This brings us to the question of this post: what should one do when they discover a hardware 0-day? The situation here is loosely analogous to discovering a formula for a deadly biological agent. We might want to keep it a secret while we work on an antidote. This, however, may not be the best strategy because a) secrets don’t remain secrets forever, and b) a defense may require more resources and/or a different kind of thinking. What happens when the formula leaks out or the agent breaks out? Without a cure, keeping the discovery secret can severely hurt survival chances of the entire population.
In addition to this difficult issue there are financial, legal and business issues concerning hardware 0-days that differ based on who you are and what your objectives are.
- What should you do if you are a government agency?
- What should you do if you are an academic?
- How should companies respond to a hardware 0-day?
In three blog posts over the next three days, I will discuss each of these scenarios.
About the author: Simha Sethumadhavan is an associate professor at Columbia University. His interests are in computer architecture and computer security. He is the founder of Chip Scan Inc. His website is: http://www.cs.columbia.edu/~simha