By Jerry Bryant, Senior Director of Security Communications and Incident Response at Intel
As security threats continue to get more complex, attackers are increasingly targeting hardware to exploit software. As a result, secure hardware has become a priority for much of the industry as vendors work to provide trusted foundations to protect data and empower software to deliver greater protection and functionality. We know that system trust is rooted in security and if the hardware isn’t secure, then a system cannot be secure. Achieving the levels of hardware security needed to mitigate new attacks requires a variety of elements – such as a security-centric approach to product development, investments in technology and research, collaboration with academia, bug bounty programs, and more – all working in concert. But it also requires vendors to proactively seek out and mitigate security issues, and to share what they’ve learned.
In this article, I’d like to share what Intel has learned as a result of its 2021 Product Security Report.
The report is designed to share the latest data and information around Common Vulnerabilities and Exposures (CVEs) disclosed by Intel in 2021 (through internal research, work with researchers and academia, and various bug bounty programs). But first I’d like to note that Intel also helped drive the creation of the community-driven Hardware Weakness Enumeration (CWE) that resulted in the 2021 CWE most important hardware weaknesses list – this includes 98 total hardware weakness patterns across 12 categories. For example, some of the top hardware weaknesses include CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip, CWE-1191 On-Chip Debug and Test Interface with Proper Access Control, and CWE-1231 Improper Prevention of LockBit Modification. The complete list can be found here at MITRE.
Now let’s dive into five key learnings from the Intel 2021 Product Security Report:
- 226 total CVEs were mitigated in 2021. Intel’s proactive product security assurance efforts discovered 93%, which is a percentage increase year-over-year since 2019. This occurs through red team events, extensive internal and external code reviews, and collaboration with external researchers who report vulnerabilities to Intel’s bug bounty programs.
- Of the 226 CVEs, Intel employees found 50% of them (or 113 CVEs). And of the remaining 113 CVEs reported by external researchers, 86% (or 97 CVEs) were reported through Intel’s Bug Bounty program. Intel’s efforts to internally identify and mitigate vulnerabilities have continued to increase over the last three years.
- 77% of hardware/firmware vulnerabilities were found by Intel (up from 69% in 2020), while 70% (down from 83% in 2020) of software issues were found by external researchers. This is the result of continued investment by Intel to harden the security of its products, plus additional collaboration with researchers through new programs like Project Circuit Breaker, an expansion of Intel’s Bug Bounty program.
- Collaboration with external researchers remains essential to Intel’s security assurance strategy, contributing to the discovery of CVEs across a variety of categories. That data is then fed back into Intel’s security development lifecycle (SDL) and helps inform where to focus additional efforts such as hackathons.
- Intel compared CVE counts to AMD in two primary areas: CPUs and Graphics. Of the 16 Intel CPU and 51 Graphics vulnerabilities found in 2021, 25 were discovered internally by Intel (and 42 were found through Intel’s Bug Bounty program). According to AMD’s publicly available information, 31 AMD CPU and 27 Graphics vulnerabilities were disclosed in 2021 and all were attributed by AMD to external sources. Notably, Intel and AMD share 23 of the Graphics CVEs, as these were issues reported through Intel’s Bug Bounty program, but the affected graphics components were AMD parts integrated into Intel products.
Intel continues to heavily invest in security assurance. This includes its Security Development Lifecycle (SDL), which guides the company in applying privacy and security practices across hardware and software (including firmware) throughout the product lifecycle. Furthermore, the community of security researchers from around the world continues to contribute to improving the security of Intel technology through Intel’s Bug Bounty program. And just recently the company announced Project Circuit Breaker, the next expansion within its Bug Bounty program comprised of a community of elite hackers hunting bugs in firmware, hypervisors, GPUs, compromising chipsets, pwning processors, and more.
As with any broad technological hurdle, security challenges cannot be fully addressed by a single institution acting alone. As a result, Intel participates in, and often leads, a wide range of additional efforts to help advance the state of security across the industry. These include working toward technology standards with the Trusted Computing Group, Confidential Computing Consortium, 3rd Generation Partnership Project, NIST, ISO and others. Intel is also active in the academic community through awards programs and research sponsorships. And finally, the company has led an effort with MITRE and others in the community to develop the Hardware Common Weaknesses Enumeration (CWEs) and share learnings with others by participating in special interest groups as part of its membership in the Forum of Incident Response and Security Teams (FIRST).
About the Author
Jerry Bryant is a Senior Director of Security Communications and Incident Response at Intel where he focuses on strategy and ecosystem enablement. Before joining Intel in 2019, Jerry was a Principal Security Program Manager in the Microsoft Security Response Center (MSRC) where he focused on industry and government engagement. Jerry has a wide range of experience including starting a web application development company and working in the manufacturing industry as an expert in process control and defect reduction. He has also been heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG.