5
Concluding Discussion
Fred Schneider, Cornell University, closed the workshop with a synopsis of the issues addressed and moderated a brief final discussion.
Schneider began by reflecting on some “watershed events” in how the field’s response to security vulnerabilities has evolved. A first event he noted was when researchers realized that the C programming language was prone to significant security errors. Eventually, compiler flags and modern programming languages were developed that were effective at ruling out certain classes of these errors.
The second event he discussed was the floating-point division error in Intel’s early Pentium chips, discovered in 1994. While it was not the first such bug, it was the first to convince the computing world just how disastrous hardware-instruction errors can be. It was very expensive to repair deployed computers and repeat suspect computations, and it led Intel to adopt a whole new set of techniques for validation of processor designs.
Spectre, he suggested, is also going to be a watershed event. In this case, he argued, we have encountered a vulnerability that is extremely difficult, if not impossible, to mitigate, given our current capabilities and processes.
Schneider highlighted that attacks have evolved considerably over the past 50 years. Early on, adversaries attacked software systems. Now, even processors and their supply chains are at risk. Internet of Things (IoT) devices are also a likely vector for many future attacks, thanks to their sheer number and the difficulty of ensuring consistent security for devices manufactured by a multitude of small companies with varying expertise, motivations, and mechanisms for implementing protections, he said.
One key takeaway from the workshop, Schneider said, is that computer scientists and manufacturers need to revisit how they understand the contract interface between the hardware and the software and how they view the role that microarchitecture plays. The trade-off between security and performance must be revisited, and more research needs to be done to answer tough questions in this space, he argued. Spectre underscores the need for a new generation of hardware and processors, but this will not be an easy feat for manufacturers.
Schneider also said that a further complication is that manufacturers must work strategically to prioritize and allocate their investments in bug repair and mitigation: resources are always limited in some way. Even beyond the responsibilities of individual companies, there is a need for society as a whole to develop a triage system to address new vulnerabilities as they arise. Security does not occur in isolation, he said; everything—the cloud, the software, the individual machines—has to be secure.
A new generation of attacks also requires a new generation of patches and patch deployment strategies, Schneider noted. Intel’s microcode patches are a good place to start, although it is too soon to say how robust these will be. An agreed-upon routine set of steps to follow (such as Schwartz proposed) is likely to be necessary for successful patch deployment, said Schneider. In short, Schneider concluded, Spectre has demonstrated that a triage system and a routine, agreed-upon response strategy—rather than an ad hoc one—will be critical to the evolution of cybersecurity going forward.
Bob Blakley, Citigroup, commented that Stuxnet, a malicious computer worm first discovered in 2010, represents another watershed event, because it was the first time that attackers sought
to cause physical damage and not just steal information. Building on this point, David Clark, Massachusetts Institute of Technology, posited that the threats are likely to evolve further in that direction. Many past attacks have resulted in data breaches, and more recently, ransomware attacks have resulted in loss of availability, he said. But the next big cyberattack may well be one that involves malicious destruction, perpetrated through hardware. As such, Clark argued, a key challenge in hardware development is to avoid missteps that allow attackers to use these devices to kill people or destroy infrastructure.
This page intentionally left blank.