Current security research is largely oriented to top-down design where the most exposed layers of the system, the network/application layers, are first studied assuming that the lower layers are secure, even when they are not. The lower layers are studied only when new threats appear at those layers. Security has thus become, as the cliche goes, an arms race to the bottom. There are many examples in the literature of lower-layer attacks including those that target anti-virus, libraries, OS, hypervisors, and even code stored in non-volatile ROM. For every software mitigation strategy, vulnerabilities at the same level or in the software layer below can be used to attack and weaken the mitigation strategy.
In this tutorial, I will introduce the audience to a fundamental and long-term solution to this problem. While security is a full-system property and both software and hardware have to be secure for a system to be secure, I will show why securing systems should begin with securing the hardware first, and then creating security services rooted in the hardware that enable development of lean security software. I call this principled approach to securing systems the hardware-up principle, and we will identify the benefits of such approaches.
We will begin our tutorial with a broad introduction to security and then cover state-of-the-art research techniques for construction of backdoor-free hardware, techniques for measuring and mitigating side-channels, hardware oriented techniques for strong isolation, integrity and malware detection. Time permitting we will touch upon primitives such as PUFs, TPMs and RNGs.
No background in computer security will be assumed. Familiarity with the hardware design process (undergrad level) and some understanding of systems may be beneficial.
Prof. Simha Sethumadhavan is an associate professor at Columbia University in the Computer Science Department. Simha's research interests are in security and computer architecture. He is known for his hardware-up security methodology for designing secure computer systems. He has been recognized with an Alfred P Sloan Fellowship (2013), NSF CAREER award (2011), two IEEE Micro "top pick" awards (2004, 2013) and a graduate teaching award (2006). He is the founder of Chip Scan Inc, and served on the downloadable security technical advisory committee as a special government employee at the US Federal Communications Commission in 2015. He obtained his PhD from The University of Texas at Austin in 2007.