4

I guess hardware security refers to the security of it's firmware, but the firmware is just software, so why do we call it hardware security?

If I am wrong, can anyone explain what is hardware security? If there is no code, how could vulnerabilities exist?

Is finding bugs in a router's firmware or in computer's BIOS considered as hardware hack?

Is this Hacker News report about Intel server chips considered as hardware hack? Do those chips have firmware? Which computer hardware parts have firmware and which haven't?

Improve this question
3
  • While firmware and software are both bits/bytes generated from compiling code, there is a strong enough distinction between how you write firmware and how you write software that the distinction is indeed meaningful. Commented May 4, 2017 at 18:08
  • Hardware security can refer to (1) physical mechanisms inside a device for security purposes such as efuses in chips and locked flash based FPGAs as well as (2) firmware mechanisms inside a device that are treated like a black box such as AES encryption in hard drives, TPM modules and key tokens for Certificates. Commented May 4, 2017 at 19:05
  • Support of hardware AES encryption is an accelerator, it's a security feature without security. Security is started when TEE is supported. Commented May 4, 2017 at 20:12

2 Answers 2

Reset to default
2

It's not matter of firmware vs. software it is a matter of execution of authorized code. How does it happen? Read about Trustable Execution Environment (TEE). There can be different implementations with using same CPU or not. If you'll read about ARM Trust Zone it will give you top level explanation how CPU supports this mode. Basically security is started from signed boot loader, loading Secure OS, setting memory protection zones. Later under supervision of Secure OS only authorized Trusted Applications will be loaded by Secure OS, and executed in protected zone where Host OS has no access, except communication channels using a shared memory.

Those who want to know more about Trusted Executable Environment, at first I would recommend you read here.

https://www.op-tee.org/category/blog/
start with https://www.op-tee.org/blog/hkg15-311-op-tee-beginners-porting-review/ another source to read https://www.arm.com/products/security-on-arm/trustzone

May be I'll add more links later.

Improve this answer
2
  • could you suggest any related courses, please ? Commented May 5, 2017 at 19:17
  • The first link is broken. Commented Mar 22, 2018 at 9:21
1

I'm not sure that this question can be totally answered, because as you point out, the line between hardware and software can be blurred in some areas, such as firmware or embedded systems. However, I would argue that something falls under hardware security if any of the following three conditions applies:

  • A flaw can be mitigated through physical security measures

  • A flaw exists in the actual hardware design, eg. side channel attacks against CPU cache in cloud environments are enabled by a shared CPU cache.

  • A flaw cannot be mitigated through firmware/software upgrade.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.