“As we head into 2023, the financial impact of cybercrime is heading towards the $10 trillion mark with no signs of slowing. As our world becomes ever more connected and dependent on technology, the traditional approach to cyber security of cleanliness and the rush to patch will continue to struggle to keep up. The doom and gloom headlines will continue to be written about data loss and a lack of resilience or trust from an ever-increasing breadth of cyber-attack across the digital world”.
“IT teams and users alike are already stretched to the limit, many acknowledging that they do not have the skills or time to keep up with the almost weekly attempted attacks and zero-day patches. Simply monitoring for and patching vulnerabilities that are discovered at the user level is not a battle that can be won by thedefenders, especially when attackers only need to be right once to exploit a vulnerability”.
Professor John Goodacre, Challenge Director, Digital Security by Design, UK Research and
Innovation
“The UK is seeking to do something about this to balance responsibility across the supply chain. Already in 2022, we have seen the Government’s PSTI Bill looking to ensure that consumer products are shipped more securely by default, placing more responsibility on the product manufacturer. The UK Government is not stopping here though. As part of the UK’s National Cyber Strategy there is now a focus on the underlying technology that our digital world is built upon ensuring products are not only secured by default to help reduce the number of vulnerabilities, but also secured by design of the components and enabling technologies to help protect against the inevitable remaining vulnerabilities”.
“Over the next few years, UK Research and Innovation’s Digital Security by Design Programme, part of the National Cyber Strategy, has been redesigning from the ground up the way software interacts with hardware so it can block the exploitation of around 70% of the ongoing discovered vulnerabilities by design while also enabling new ways of software development to maintain resilience and integrity. Working across Government, Industry and Academia the £300m programme has been distributing a prototype with developers and researchers finding more ways to protect everything digital from cyber and operational incidents.”
“As we move into 2023, we will really start to see early examples for sectors where this innovative technology can reduce threats and block exploitation of vulnerabilities. Developers and IT teams will become more vocal, pressing for the day they can benefit from new hardware that can actively block exploitation of vulnerabilities and their need to chase the ever-increasing number of patches”.
There were some big cyber stories in the news in November. Lenovo fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot. UEFI Secure Boot is a verification system that ensures no malicious code can be loaded and executed during the computer boot process. The consequences of running unsigned, malicious code before OS boot are significant, as threat actors can bypass all security protections to plant malware that persists between OS reinstallations.
Professor John Goodacre, Challenge Director, Digital Security by Design, UK Research and Innovation shared his thoughts on this, saying “Secure boot is built on a hierarchy of trust typically rooted in technologies fixed in the hardware of a device. Such systems are used to ensure that despite any exploitation of a vulnerability during the normal operation of a system it can be recovered through a reboot. It is therefore essential that by design, the secure boot of a system cannot be altered while in normal operation. For example, the Windows 11 requirement for a Trusted Platform Module (TPM) means that the operating system, much of which operates with elevated privileges, is considered as part of the normal operation and as such can be restarted cleanly and patched. Unfortunately, all software should be considered to contain vulnerabilities, and therefore it’s essential that during normal operation no mechanisms can circumvent secure boot. Although a move to using digital secure by design execution of software will significantly reduce the opportunity to exploit vulnerabilities, any mechanism in which an exploitation of normal operations can take control of secure boot means they are open to ransomware and other denial of service attacks and highlights the need for trust across the various components of secure boot.”
The National Security Agency (NSA) has recommended only using ‘memory safe’ languages, like C#, Go, Java, Ruby, Rust, and Swift, in order to avoid exploitable memory-based vulnerabilities. The agency explained that memory issues in software make up a large portion of exploitable vulnerabilities. Due to this concern, the authority has advised developers to consider moving from programming languages with little or no memory protection, like C and C++, to a memory safe language.
Commenting on this, John Goodacre said: “There are trillions of lines of code being used today written in c/c++ making it impossible to consider re writing it all into a memory safe language. Even when new code uses such languages, it’s inevitable that it will be relying on code written in an unsafe language through its use of libraries or an operating system. Further, many of the higher- level languages are sandboxes by their runtime making them unsuitable for many classes of applications. In the UK Government supported initiative, known as Digital Security by Design, a new approach known as CHERI has been applied to both Arm and RISC-V prototype chips that make the hardware itself memory safe and as such brings memory safety to existing software and other significant resilience and security features for new code. The risk from memory unsafe code is significant with around 70% of ongoing reported vulnerabilities rooted in such issues. Moving to CHERI enabled hardware will not only block exploitation of these memory safety vulnerabilities, but it also offers developers new capabilities that reduce the risk that bugs find the way into production so increasing developer productivity”
Finally, on 9 November , we held an event where attendees learned how Discribe Hub+ are contributing to this important initiative. Taking place at the Pavilion Café at the University of Bath, attendees joined the Bristol & Bath Cyber Cluster for another fascinating networking event. Professor Adam Joinson discussed Digital Security by Design and how Discribe Hub+ are involved. Adam is Professor of Information Systems at the University of Bath and is Director of Discribe. His background is in behavioural science applied to security and new technology.