Āé¶¹“«Ć½

Uncrackable computer chips stop malicious bugs attacking your computer

Cyberattacks target not just our phones and laptops, but hospitals, schools and power stations. A new security solution redesigns chips from the inside out

high-security artwork

EVEN if you’re not a hacker or a coder, chances are you will have heard names like Stuxnet, NotPetya or WannaCry. After all, these malicious programs have made big waves in the past few years. First it was Iran’s nuclear centrifuges that were the target, then Ukraine’s banks, then last year, hospitals in the UK. These cyberattacks keep coming.

The standard response is to release software patches, the updates that pop up on our computers and smartphones. They are designed to seal up the holes that hackers exploit to smuggle their malicious code through. The trouble is, there are more than 100,000 holes out there – and that’s just the ones we know about. Plenty more are surely waiting to be found. ā€œTo successfully defend, you must find all weaknesses and plug them,ā€ says Linton Salmon, who runs a computer security programme at the US Department of Defense. ā€œTo successfully attack, you only need to find one.ā€

It’s a losing battle, and one we can no longer afford to fight. As we build the internet of things, putting simple processors into garage doors, fridges, light bulbs and windscreen wipers, that truth is only going to become plainer. If we are going to put computers in everything, it is time we souped up their defences.

That is what Salmon and a few others have been quietly working on. We can protect ourselves from cyberattacks, they say, not with ever more patches, but with changes to computers’ underlying electronics. It means overhauling the way we build microprocessors, but the world’s biggest chip-makers are already getting in on the action. With a layer of protection at the heart of every chip, the hope is that we will stem the tide of cyberattacks.

Most of us use at least two computers a day, whether they be laptops, tablets, smartphones or smartwatches, and we are used to software like web browsers and spreadsheets doing our bidding. When you strike a key or click an icon, that instruction must ultimately be carried out by the computer’s hardware, specifically the processor, which is usually a single microchip. The building blocks of the processor are transistors – minuscule electronic switches – organised into functional components like memory and logic units.

But software can’t communicate directly with transistors. Software is based on words and symbols, whereas transistors understand only two commands: switch on or switch off. To help the software and hardware communicate, there are go-betweens, such as programs called compilers that translate software instructions into machine code, a binary language of 1s and 0s, or ons and offs.

Big, dumb retriever

How that translation works is determined by the chip’s architecture. This is the set of rules, embodied in the physical design of the processor, that governs how the software gets access to the hardware. It determines how much memory a program has access to, for example. ā€œThink of it like a contract that tells the software people what to expect from the hardware,ā€ says Richard Grisenthwaite of Arm, the firm that makes processors for most smartphones.

The rules vary slightly with the processor, but all architectures are similar, particularly in one respect. ā€œA chip is fundamentally gullible,ā€ says Salmon. ā€œGive it any instruction you like, and it says: ā€˜Okay, let me do that as fast as I can! Does it make any sense? I don’t care, you asked me to do it. You’re the boss!’ It’s like a big, dumb golden retriever.ā€

computer chip
Processors can contain 5 billion transistors but few are devoted to security
STMicroelectronics/Cobham Gaisler

There’s a good reason for this. In the 1970s, chips had only about 5000 transistors. To make processors as fast as possible, none could be wasted. Architectures were designed so that whenever software made a demand the chip would comply, no questions asked.

Some 50 years later, the chips in your laptop and smartphone have about 5 billion transistors. But the golden retriever architecture has remained, largely because changing it significantly would make it incompatible with existing software.

The unpleasant consequence is that when a hacker finds a sneaky way into a processor, it is only too happy to oblige any requests. That means it is possible to harvest sensitive data like usernames and passwords or get the processor to do nefarious deeds.

The idea of making chips less gullible is not new. More than a decade ago, computer scientist at Princeton University published designs for processors that would wipe parts of their memory automatically after a period of time. Back then, the big chip manufacturers weren’t interested, but that’s starting to change for a few reasons. For one thing, 5 billion is a lot of transistors. Processors are now so fast that we can afford the drop in speed when we devote a few to security checks. For another, we are increasingly spooked by hacks, and security is becoming a selling point.

It’s not just Lee who has long seen the need for better security. In 2010, Howie Shrobe, a computer scientist at the Massachusetts Institute of Technology (MIT), went to the US government’s Defense Advanced Research Projects Agency, where he launched a programme known as . It posed a simple question: given everything we know about security today, how would we design computing infrastructure – hardware, software, servers, networks, the lot – if we started from scratch?

The biggest problem the project identified was how interconnected computers are, giving hackers easy access to a lot of information. But that horse has long since bolted, so CRASH homed in on one way forward: redesigning the hardware.

Salmon picked up where CRASH left off. He trawled the world’s most authoritative , kept by the Mitre Corporation, a non-profit organisation based in Massachusetts, and identified the most common hardware ones. There turned out to be seven main classes of hardware vulnerability, which together account for almost half of known hacks (see ā€œDeep hacksā€).

In 2017, Salmon launched a programme called System Security Integrated Through Hardware and Firmware (SSITH). It is giving nine competing research teams a share of $60 million to develop processors impregnable to all those seven classes of attack by March 2020. No one has tried anything this ambitious before.

The gold standard of hardware defence is formal verification, a way of using fiendishly complicated maths to prove that the hardware does only what it should do. It requires rigorous checks to be made, which takes time. So far, it has only been used in custom-made chips for applications where human life is at stake, for example in flight control systems.

That’s changing.ā€I looked into formal methods a few years ago and was pretty disappointed,ā€ says Ben Laurie, head of security at the Google-owned artificial intelligence firm DeepMind. ā€œBut then I looked into it again more recently and was surprised by the amount of progress.ā€ Salmon is similarly confident. He says improvements to algorithms should make formal verification of hardware practicable by 2020.

at MIT is working on a processor design that uses formal verification as part of SSITH. ā€œWe’re building a compiler that automatically implements that idea,ā€ he says. At the moment, however, his method only works for parts of chips, and it is uncertain how quickly it can be scaled up.

A good backstop option might not be too distant, however, thanks to another line of research for SSITH: instead of radically redesigning processors, you can give them a partner to help them out.

This idea is being taken forward by , an engineering non-profit company headquartered in Cambridge, Massachusetts. Inside the main processor, every kind of data is given a tag that specifies what security policies it must adhere to. Those policies are held on an adjacent coprocessor, which vets every action the main processor takes. If anything breaks the rules, the flinty-eyed coprocessor stops it. If it tries to find another way to execute, the coprocessor shuts down the program. Draper calls this an inherently secure processor.

This set-up allows chip manufacturers the best of both worlds. Should someone identify a new hardware vulnerability, the policies in the co-processor can be updated without messing around with the main chip. ā€œA new policy can be deployed almost immediately,ā€ says Draper scientist Curtis Walker. It is as fast as a software update, and as strong as changing the hardware.

Still, even if this prevents people from stealing passwords, continual attacks could force programs to shut down. That’s far from ideal – especially if the program is controlling something crucial, like an electricity grid or a nuclear power plant.

, who studies secure computer architectures at the University of Cambridge, is working on a third way with colleagues at Cambridge and at SRI International, a research institute in California.

His architecture, called CHERI, traps malicious software, partitioning it off so it can do little damage. Think of what happens when everyday software like Microsoft Word freezes on your computer. You can force it to quit with a few clicks, and this won’t affect other applications. CHERI works in a similar way, at the hardware level.

ā€œHackers can get into chips – but then they’re trapped with nowhere to goā€

Let’s say a hacker emails you a corrupted image that, if clicked on, will trick your email software into sending malicious code to the processor. A processor using the CHERI architecture will construct a perimeter wall that isolates the compromised part of the processor. This wall is reconfigurable, so it can trap the enemy code in one mailbox, one email or even just the corrupted image

nuclear power plant
Some nuclear power plants already use ā€œunhackableā€ chips
Korea Hydro and Nuclear Power Co. via Getty

itself. Attackers can get in, but then find themselves with nowhere to go.

Ģż

Some infrastructure already uses incredibly secure chips: nuclear plants for example. The people who run them ā€œare even more paranoid than I amā€, says Salmon. But those chips are expensive and slow, optimised for one job. You couldn’t use them in a smartphone or a laptop.

Switching the processors in those everyday computers for something more secure would mean a huge upheaval. ā€œIt’s really not that simple to replace the systems that are out there,ā€ says Katie Moussouris, an information security researcher who started Microsoft’s bug bounty programme, which pays hackers to report software vulnerabilities. So will it ever happen?

Armageddon chips

There are reasons to be optimistic. Sarah Leeper, an engineer at Draper, works with a spin-off company called Dover Microsystems that is already marketing a commercial version of the inherently secure processor. Leeper says the firm is in touch with electricity grid operators who want to use it.

The major microchip manufacturers have also begun to take less radical steps towards making hardware that helps constrain the software that runs on it. ā€œWe are already working on our own hardware security projects,ā€ says Ronak Singhal, an engineer and senior fellow at Intel.

Even the cheapest chips, those in devices that might be connected to the internet of things, could be switched. Arm’s primary interest beyond phones is in such devices, and Grisenthwaite says the firm has long been watching Watson’s CHERI architecture. ā€œWe are really interested in what he’s doing.ā€

But hardware security is unlikely to end cyberattacks completely. ā€œThe ground is littered with the bodies of all the people who have ā€˜solved’ cybersecurity,ā€ says Salmon. That’s partly because there will always be old systems in our computing infrastructure, not to mention attacks that rely on human gullibility: phishing, for example, or someone putting a sticky note bearing their password on their monitor.

Sooner or later, something very important will be attacked, perhaps a power grid, bank or hospital, with major consequences. That’s why it is good to think about a hardware overhaul, says Lee. ā€œWe need a chip that we can use the day after the catastrophe,ā€ she says. ā€œIf the change doesn’t happen before that day, it will happen after – and it will happen fast.ā€

Deep Hacks

Some hacks depend on software loopholes that can simply be patched by updating computer code. But 43 per cent of hacks go deeper, exploiting inherent weaknesses in a machine’s hardware.

One of the classic hardware vulnerabilities is to do with slices of a chip’s memory called buffers. Buffers are designed to fit only a certain amount of data. The trouble is, some have a flaw: if someone forces too much data into one, the original information is overwritten. This gives attackers a way to smuggle malicious code into the processor. Once their code is there, the processor will carry out its instructions. This is how the WannaCry attack of 2017 locked up computers belonging to the UK National Health Service. There are another six classes of hardware vulnerability that work in similar ways.

In January 2018, two related bugs called Spectre and Meltdown came to light. These appear to be an eighth class of hardware vulnerability.

These bugs arise from the fact that chips often perform certain checks before they carry out operations, to confirm they will work. They might check there’s enough memory available, for instance. But for the sake of speed, chips have long been designed to skip the checks under certain circumstances, and instead carry out ā€œspeculative executionsā€. Hacks exploiting Spectre and Meltdown use this vulnerability to trick chips into doing what they ask.

The bugs have existed since about 1995. Nearly every computer with an Intel chip is vulnerable, and attacks would be tough to detect. But the most disturbing fact about Spectre and Meltdown is that they took more than 20 years to find. There are surely plenty more bugs like them lurking out there.

This article appeared in print under the headline ā€œCan’t hack itā€

Topics: Computer crime / cyberattacks / Hacking