Blog Page


Changing Industry Mindset, Practices to Tackle Cybersecurity Flaws – EE Times Europe

EE Times Europe
The Digital Security by Design initiative held a series of roadshows to detail its approach to addressing fundamental cybersecurity issues. We present the visualizations of those talks.
Is it possible to change the industry mindset on cybersecurity when products are still made using hardware and software design practices that have allowed the exploitation of memory vulnerabilities for 50 years? A U.K. government-backed initiative supported by Arm, Microsoft, and Google is taking on the challenge, addressing this fundamental flaw in chip design, which has made the devices inherently vulnerable to cyberattacks.
Digital Security by Design (DSbD), funded by UK Research and Innovation (UKRI), is building on work done by the University of Cambridge and industrial partners, as well as on research carried out since 2010 by the U.S. Defense Advanced Research Projects Agency (Darpa) and others. The program hit a landmark in January when Arm released a system-on-chip and demonstrator board based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture, resulting from research to define hardware capabilities that would fundamentally provide more secure building blocks for software. The Arm Morello board is being made available to developers for exploration of the new protection model.
Today, organizations looking to protect their cyberattack surface are often trapped in a continuous cycle of patching and mitigating vulnerabilities. DSbD aims to break the cycle. In the long term, the proposed approach to security will help prevent memory pointer exploits to block the exploitation of up to 70% of ongoing vulnerabilities. In a recent podcast, I spoke with DSbD program lead John Goodacre, professor of computer architectures at the University of Manchester, about the initiative and the issues that led to it.
Embedded.com was a media partner with DSbD’s in-person and online Four Nations Roadshow series to introduce the program. The physical events took place in England, Scotland, Wales, and Northern Ireland, with online attendees from around the world able to sit in on presentations by prominent speakers in the fields of computer system architecture and cybersecurity.
I had the pleasure of moderating these events, which together formed a continuous story covering the history of computers and computing, new technologies in cybersecurity, how to strengthen the foundations for security, and a look at the future for trusted computers. Each event was visualized by a live illustrator (scribe), Chris Shipton of Live Illustration Ltd., whom DSbD commissioned to produce a graphic record of the key points. We present his visualizations here, courtesy of Live Illustration.
The roadshow kicked off at the National Museum of Computing in Bletchley Park, England, with a survey of the history of computers by Sir Dermot Turing, an author and the nephew of Alan Turing. “Software and hardware are not as disconnected as we think,” Turing cautioned his audience.
In a talk on the history of computer performance, Andrew Herbert, chairman of the board of trustees at the National Museum of Computing and former chairman of Microsoft Research, noted that “computer memory has always been the Achilles’ heel” of cyber-security. Professor Genevieve Liveley, senior lecturer in classics at the University of Bristol and a Turing fellow, explored the art of future thinking and called for “resisting the notion that present and historical trends are inevitable — we call this chronocentrism.”
In the final talk, Andrew Elliot, deputy director for cyber security innovation and skills at the Department for Digital, Culture, Media and Sport (DCMS), looked at the ubiquity of computers in the digital world and the implications for security.
The next chapter in the story explored the world of cybersecurity today and new technologies in cybersecurity. The event, held at the Glasgow Science Centre in Scotland, was kicked off by University of Manchester professor Daniel Dresner, who explored the socioeconomic impacts of cyberattacks and the blame game that ensues when something goes wrong. “We’re living with 20th century technology while having 21st century expectations,” Dresner said.
Paul Waller, head of research at the National Cyber Security Centre (NCSC), talked about fixing the foundations for security and the need for academia and industry to work together toward that end. Emphasizing the common theme that the industry is still grappling with the last century’s security vulnerabilities, he noted that “buffer overflows [are] a systemic flaw discovered in 1972.”
Simon Moore, professor of computer engineering at the University of Cambridge, went into technical detail on CHERI, looking at the importance of memory pointer integrity and bounds checking. “Code bloat makes it easier for attackers,” Moore said. “Software compartmentalization decomposes software into isolated compartments.”
In the closing talk, Jude McCorry, CEO of the Scottish Business Resilience Centre, explained why relying on luck alone is not a great cybersecurity strategy.
At the third event, in Newport, Wales, speakers looked at how foundations can be strengthened to make the world more secure, not just from a technology standpoint but for all stakeholders. Setting the context, Clare Johnson, partnerships and outreach manager for digital and STEM at the University of South Wales and founder of Women in Cyber Wales, highlighted the importance of partnerships and collaborations in the adoption of new technologies. John Goodacre, the challenge director for the DSbD initiative and professor in computer architectures at the School of Computer Science at the University of Manchester, then asked, “Can we actually prevent computer security vulnerabilities with today’s solutions?”
Arm fellow and chief architect Richard Grisenthwaite outlined the Arm Morello program and its role in realizing a solution for addressing the fundamental security vulnerabilities that other roadshow speakers had highlighted. David Chisnall, principal researcher in the Confidential Computing Group at Microsoft Research Cambridge, then asked, “Do we still need safe languages if we have CHERI?”
Wrapping up the event, Katy Ho outlined how people could get involved in DSbD’s design technology access program.
The final event in the series, which took place in Belfast, Northern Ireland, looked at what’s next — the future for trusted computers. The director of Discribe Hub+ at the University of Bath, Professor Adam Joinson, discussed the socioeconomic impact of security on trust. Philip Wilson, director of research and development for The Hut Group Plc, offered a software programmer’s perspective, providing some great real-world examples of where things can go wrong and presenting a case study of security in e-commerce. Next, Pytilia CEO Tim Silversides talked about growing and differentiating a business through security by design.
Finally, from Queen’s University Belfast, Maire O’Neill, professor of information security at Queen’s Centre for Secure Information Technologies (CSIT), mapped the future for trusted computers. She brought the story full circle, detailing why we need to move away from the current strategy of mitigating and patching.
This article originally ran on sister site embedded.com.
Read also:
Embedded Security: How to Mitigate the Next Attack
Nitin Dahad is a Editor-in-Chief of embedded.com, and a correspondent for EE Times, and EE Times Europe. Since starting his career in the electronics industry in 1985, he's had many different roles: from engineer to journalist, and from entrepreneur to startup mentor and government advisor. He was part of the startup team that launched 32-bit microprocessor company ARC International in the US in the late 1990s and took it public, and co-founder of The Chilli, which influenced much of the tech startup scene in the early 2000s. He's also worked with many of the big names – including National Semiconductor, GEC Plessey Semiconductors, Dialog Semiconductor and Marconi Instruments.
Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


× How can I help you?