CWE Hardware Weaknesses

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE Hardware Weaknesses

asummers
Administrator

Dear Research Community,

 

In an effort to expand the scope of CWE from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen. 

 

Hardware security issues (e.g., LoJax, Rowhammer, Meltdown / Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws. 

 

We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today. Please let us know if you would like to get involved.

 

Best,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_483134753

 

MITRE - Solving Problems for a Safer World

 


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[EXT] Re: CWE Hardware Weaknesses

Kurt Seifried
What about locks? This is literally security hardware that's been around (checks wikipedia page) in metal for 1000+ years, and wood since Assyria. An existing corpus of work: https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ (Lockpicking Lawyer), and I would especially point out https://www.youtube.com/watch?v=VNWSx6v4vxg (TL;DR: almost 100 years of.... making the same easily picked locks).  Last I checked every data center has locks.

On Thu, Oct 10, 2019 at 8:09 AM Summers, Alec J <[hidden email]> wrote:

Dear Research Community,

 

In an effort to expand the scope of CWE from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen. 

 

Hardware security issues (e.g., LoJax, Rowhammer, Meltdown / Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws. 

 

We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today. Please let us know if you would like to get involved.

 

Best,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

 

MITRE - Solving Problems for a Safer World

 



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Re: CWE Hardware Weaknesses

asummers
Administrator

Kurt,

 

Thanks for your note. At this time we are focusing the CWE content expansion effort on computer hardware design weaknesses associated with architecture, implementation, manufacturing, and provisioning on examples such as core, volatile/non-volatile memory, platform-on-a-chip, etc. I appreciate your interest and links to the interesting resources.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_519292569

 

MITRE - Solving Problems for a Safer World

 

 

From: Kurt Seifried <[hidden email]>
Date: Thursday, October 10, 2019 at 12:08 PM
To: "Summers, Alec J" <[hidden email]>
Cc: CWE Research Discussion <[hidden email]>
Subject: [EXT] Re: CWE Hardware Weaknesses

 

What about locks? This is literally security hardware that's been around (checks wikipedia page) in metal for 1000+ years, and wood since Assyria. An existing corpus of work: https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ (Lockpicking Lawyer), and I would especially point out https://www.youtube.com/watch?v=VNWSx6v4vxg (TL;DR: almost 100 years of.... making the same easily picked locks).  Last I checked every data center has locks.

 

On Thu, Oct 10, 2019 at 8:09 AM Summers, Alec J <[hidden email]> wrote:

Dear Research Community,

 

In an effort to expand the scope of CWE from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen. 

 

Hardware security issues (e.g., LoJax, Rowhammer, Meltdown / Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws. 

 

We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today. Please let us know if you would like to get involved.

 

Best,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

 

MITRE - Solving Problems for a Safer World

 


 

--

Kurt Seifried
[hidden email]


smime.p7s (6K) Download Attachment