Intel’s Chips & Salsa Podcast hosted by Jerry & CRob – Youtube
Riscure’s Senior Security Analyst Nicole Fern (8min 40sec) participated in Intel’s security podcast, “Chips & Salsa”, where they discuss security developments at Intel. This edition was focused on “Industry Collaboration for NEW Hardware CWEs.” Nicole was joined by other members of The Hardware Common Weakness Enumeration Special Interest Group (HW CWE SIG) from Intel, MITRE, AMD, and Cycuity. They discussed the introduction of four new transient execution weaknesses into the Common Weakness Enumeration (CWE) standard.
Common Weakness Enumeration (CWE) is a list of common software and hardware weaknesses developed and reviewed by the community. The list is updated three to four times per year and publicly accessible at https://cwe.mitre.org/.
CWE is lead and maintained by MITRE, which also maintains the Common Vulnerabilities and Exposures (CVE) list and is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Weaknesses are mistakes or errors that could lead to the introduction of vulnerabilities. Weaknesses are different from vulnerabilities, which are mistakes in specific products and implementations that an attacker can directly target for exploitation. The goal of providing a list of common weaknesses along with mitigations is to root out issues early in the design and implementation process so that they do not become vulnerabilities down the line.
The goal of the CWE effort is to provide a common language to discuss weaknesses across the entire community, opportunities for knowledge sharing and awareness, and a mechanism for creating metrics and checklists for security tools. The first CWE list was published in 2006 and primarily covered software weaknesses, but recently there has been a concentrated effort by the community to populate CWE with weaknesses relevant to the hardware community. The hardware relevant CWEs can be found here: https://cwe.mitre.org/data/definitions/1194.html.
The Hardware Common Weakness Enumeration Special Interest Group (HW CWE SIG) was established in October 2020 to provide an opportunity for various stakeholders in the hardware security community to collaborate and provide input on the recent hardware entries. Riscure has been a member of this group since October 2021, providing technical knowledge and experience as an industry leader in side-channel and fault injection testing.
If you have any further inquiries, reach out to inforequest@riscure.com