A breakthrough in chip security that allows vulnerabilities in new computer chip designs to be identified before they can be discovered by hackers has been developed by an international team of scientists.
The solution takes the form of an algorithm known as Unique Program Execution Checking (UPEC), which is designed to allow designers of computer chips to find flaws before the components are mass produced.
It has been developed by scientists at TU Kaiserslautern in Germany, in collaboration with researchers at Stanford University in California.
UPEC would combat high-profile security flaws in chip designs, which have led to major cybersecurity incidents, including Meltdown and Spectre, which can be almost impossible to identify due to the way they operate.
“UPEC is a form of automated security verification that will alert designers to potential flaws in their microarchitectures, long before the chips are mass produced,” said Professor Wolfgang Kunz, Chair of Electronic Design Automation at TU Kaiserslautern.
Chip security algorithm finds previously unknown flaws
In addition to enabling future chip designs to be more secure before they are mass produced, UPEC has also been used to identify several previously unknown flaws present in currently available chips.
This is the result of the researchers using the algorithm to assess chip security on a number of open-source chip designs, which found that conventional design processes can easily result in security issues.
“The key point here is that even simple design steps, like adding or removing a buffer, can inadvertently introduce covert channel vulnerabilities in pretty much any processor,” said Mo Fadiheh, a researcher at TU Kaiserslautern.
One such security flaw already identified by the researchers has been dubbed Orc. And concerningly, it may be present on many of the chips used in Internet of Things applications and self-driving cars.
“Theoretically, a hacker could use an Orc attack to assume control of an autonomous vehicle or to commandeer networked computers on the Internet-of-Things,” said Subhasish Mitra, professor of electrical engineering and computer science at Stanford University.
Orc, which is believed to be the first flaw of its kind to be discovered entitely by automated software, may be present on commercial products, but due to issues with proprietary source code the researchers cannot say with certainty. As a result, the researchers are recommending chip manufacturers make use of UPEC to run tests on their own potentially affected products.
“Orc demonstrates that serious flaws can result from seemingly innocuous design decisions chip designers make every day,” said Professor Mark D. Hill, a computer architecture expert from the University of Wisconsin-Madison.
“With UPEC, designers can be much more confident that they will find and eliminate all potential covert channel flaws in their designs.”