Do you know what CVEs are? Unless you’re linked up with security or cryptographic groupies, you probably don’t.
Virtually everyone in our society is subjected to CVEs practically every minute of the day and with the electronics systems or gear you’re working with. CVEs stand for “common vulnerabilities and exposures,” and CVE is described as a catalog of known security threats. The U. S. Department of Homeland Security or DHS is the CVE sponsor, and this catalog divides security threats into two categories – you guessed it, vulnerabilities and exposures. At last count, there are 114,319 CVE entries FYI.
Margaret Rouse recently wrote a piece on CVEs for TechTarget.com. She writes for and manages Whatis.com, which is TechTarget’s IT encyclopedia and learning center. Rouse writes that a vulnerability is a mistake in software code. It provides an attacker with direct access to a system or network.
She cites an example saying the vulnerability may allow an attacker to pose as a superuser or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may allow an attacker to secretly gather customer information that could be sold, according to Rouse.
Unfortunately, the CVE catalog doesn’t have much or anything to say about the subject of “fault injection attacks” that can be considered a distant cousin to vulnerabilities and exposures. The objective for all of them is basically the same; meaning, they are all out to break into electronics systems and chips for valuable information and abscond with it. But the ways to get there are different for vulnerabilities, exposures, and fault injection attacks.
Learned scholars in their technical papers say that fault injection attacks “involve actively manipulating a chip in order to cause a transient fault during the execution of some process. The goal is to circumvent the protection of its assets. Other attacks allow retrieving keys of a range of public and secret key algorithms, including DES and AES.”
Bart Stevens, Senior Director, Product Management for Cryptography Products Division, Rambus, describes fault injection attacks this way. “The whole idea of a fault injection attack is ‘can I make silicon or software do something else besides what it is intended to do. Can I trick it into doing something else?’ This attack is basically trying to mis-use the chip to trick it into doing something else.”
Regardless of the vulnerability or type of fault injection attack, embedded and siloed security like Rambus’ CryptoManager Root of Trust or CMRT, come to the rescue in these instances to fend off these types of adversarial attacks. CMRT has multiple roots of trust, hence, there is a separate security domain for every entity. These security domains are completely separated from each other via strong hardware security. As a result, security assets like keys and hardware resources are completely isolated.