Digital Security by Design Monthly Round-Up: November 2022

As we head towards the end of the year, we thought it would be fascinating to hear from our own challenge
director, Professor John Goodacre, about his predictions for technology and cybersecurity in 2023.

He said, “As we head into 2023, the financial impact of cybercrime is heading towards the $10 trillion mark
with no signs of slowing. As our world becomes ever more connected and dependent on technology, the traditional approach to
cyber security of cleanliness and the rush to patch will continue to struggle to keep up. The doom and gloom
headlines will continue to be written about data loss and a lack of resilience or trust from an ever-increasing
breadth of cyber-attack across the digital world”.

“IT teams and users alike are already stretched to the limit, many acknowledging that they do not have the
skills or time to keep up with the almost weekly attempted attacks and zero-day patches. Simply monitoring for
and patching vulnerabilities that are discovered at the user level is not a battle that can be won by the
defenders, especially when attackers only need to be right once to exploit a vulnerability”.

“The UK is seeking to do something about this to balance responsibility across the supply chain. Already in
2022, we have seen the Government’s PSTI Bill looking to ensure that consumer products are shipped more
securely by default, placing more responsibility on the product manufacturer. The UK Government is not
stopping here though. As part of the UK’s National Cyber Strategy there is now a focus on the underlying
technology that our digital world is built upon ensuring products are not only secured by default to help reduce
the number of vulnerabilities, but also secured by design of the components and enabling technologies to help
protect against the inevitable remaining vulnerabilities”.

“Over the next few years, UK Research and Innovation’s Digital Security by Design Programme, part of the
National Cyber Strategy, has been redesigning from the ground up the way software interacts with hardware
so it can block the exploitation of around 70% of the ongoing discovered vulnerabilities by design while also
enabling new ways of software development to maintain resilience and integrity. Working across Government,
Industry and Academia the £300m programme has been distributing a prototype with developers and
researchers finding more ways to protect everything digital from cyber and operational incidents.”

“As we move into 2023, we will really start to see early examples for sectors where this innovative technology
can reduce threats and block exploitation of vulnerabilities. Developers and IT teams will become more vocal,
pressing for the day they can benefit from new hardware that can actively block exploitation of vulnerabilities
and their need to chase the ever-increasing number of patches”.

There were some big cyber stories in the news in November. Lenovo fixed two high-severity vulnerabilities
impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI
Secure Boot. UEFI Secure Boot is a verification system that ensures no malicious code can be loaded and
executed during the computer boot process. The consequences of running unsigned, malicious code before OS
boot are significant, as threat actors can bypass all security protections to plant malware that persists between
OS reinstallations.

Professor John Goodacre, Challenge Director, Digital Security by Design, UK Research and
Innovation shared his thoughts on this, saying “Secure boot is built on a hierarchy of trust typically rooted in
technologies fixed in the hardware of a device. Such systems are used to ensure that despite any exploitation of
a vulnerability during the normal operation of a system it can be recovered through a reboot. It is therefore
essential that by design, the secure boot of a system cannot be altered while in normal operation. For example,
the Windows 11 requirement for a Trusted Platform Module (TPM) means that the operating system, much of
which operates with elevated privileges, is considered as part of the normal operation and as such can be
restarted cleanly and patched. Unfortunately, all software should be considered to contain vulnerabilities, and
therefore it’s essential that during normal operation no mechanisms can circumvent secure boot. Although a
move to using digital secure by design execution of software will significantly reduce the opportunity to exploit
vulnerabilities, any mechanism in which an exploitation of normal operations can take control of secure boot
means they are open to ransomware and other denial of service attacks and highlights the need for trust across
the various components of secure boot.”

The National Security Agency (NSA) has recommended only using ‘memory safe’ languages, like C#, Go, Java,
Ruby, Rust, and Swift, in order to avoid exploitable memory-based vulnerabilities. The agency explained that
memory issues in software make up a large portion of exploitable vulnerabilities. Due to this concern, the
authority has advised developers to consider moving from programming languages with little or no memory
protection, like C and C++, to a memory safe language.

Commenting on this, John Goodacre said: “There are trillions of lines of code being used today written in c/c++ making
it impossible to consider re writing it all into a memory safe language. Even when new code uses such languages, it’s inevitable that it will be relying on code
written in an unsafe language through its use of libraries or an operating system. Further, many of the higher-
level languages are sandboxes by their runtime making them unsuitable for many classes of applications. In the
UK government supported initiative, known as Digital Security by Design, a new approach known as CHERI has
been applied to both Arm and RISC-V prototype chips that make the hardware itself memory safe and as such
brings memory safety to existing software and other significant resilience and security features for new code.
The risk from memory unsafe code is significant with around 70% of ongoing reported vulnerabilities rooted in
such issues. Moving to CHERI enabled hardware will not only block exploitation of these memory safety
vulnerabilities, but it also offers developers new capabilities that reduce the risk that bugs find the way into
production so increasing developer productivity”

Finally, on 9 November , we held an event where attendees learned how Discribe Hub+ are contributing to
this important initiative. Taking place at the Pavilion Café at the University of Bath, attendees joined the Bristol
& Bath Cyber Cluster for another fascinating networking event. Professor Adam Joinson discussed Digital
Security by Design and how Discribe Hub+ are involved. Adam is Professor of Information Systems at the
University of Bath and is Director of Discribe. His background is in behavioural science applied to security and
new technology.