One-hundred thousand new unique pieces. That's how much malware comes into existence every day and threatens electronics systems, according to McAfee.
Couple that with the very complex systems we're building and the enormous monetization opportunities for malware writers, and we have serious security problems, says Ernie Brickell, Chief Security Architect with Intel (pictured left; photo, Chris Edwards, Tech Design Forum). Brickell keynoted the 2014 Design Automation Conference's final morning with the topic "The Intel Security Architecture Vision."
His bottom line was that hardware and software teams need to work together to close the security gaps because both are vulnerable.
He told the DAC audience here:
"We can't solve the entire problem. The entire problem involves both hardware and software, but it's also not appropriate for hardware to say this is a software problem, let them go off and solve it. We want to keep working and say ‘what can we do at the hardware level to help solve this industry wide problem?'"
Brickell's advice was sprinkled with common sense:
Don't introduce bugs. Create a security-review process that mirrors the development process. In addition, make sure someone on the security-review committee specializes in the security of debug. "He's not responsible for debug. He's responsible for making sure debug hooks don't open pathways."
Identify your critical assets and wall them off as best you can. "How can I design this architecture so I have the smallest attack surface around that asset?"
It's the last point where Intel is bringing some technology to bear.
The Great Walls
Brickell described virtualization, where engineers isolate sensitive data in a separate virtual machine, putting in a hypervisor under the operating system and running sensitive data in the separate virtual machine.
"In theory this works fairly well because you can put in a small hypervisor and a small OS. In practice it doesn't always work. People put in a hypervisor that's too complex, which can hamper the development cycle and add system complexity."
Adding a security processor on which to run a separate operating system works too. It has its own memory space which helps wall out intruders.
Of most note, however, is that Intel is researching Software Guard Extensions, which, he said, "give any application the ability to defend secrets." As Intel material explains, the extensions are a set of new CPU instructions that can be used by applications to set aside private regions of code and data.
Brickell used an example of a web browser through which one makes financial transactions. "You put authentication tokens and the code that needs to access those authentication tokens inside this special portion that's protected. The portion that's protected has smallest (attack) surface possible. The extensions remove the rest of the app from the attack surface," he said.
-- DAC 2014: Mixed-Signal Designers Cite Verification Challenges, Solutions
-- DAC 2014: Computer Vision Coming but Requires Engineering Flexibility, Creativity
-- DAC 2014 Keynote: Qualcomm VP Outlines Mobile Computing Challenges