LAWRENCE — Phishing attacks, malware, distributed denial-of-service (DDoS) attacks, zero-day exploits. Many commonly reported cyberattacks focus on computer software vulnerabilities. But what about computer hardware? As complex global supply chains are stressed by the pandemic, risks increase of corporate or state espionage via hardware, such as malicious “trojan” circuits hidden on a motherboard by a shady third-party vendor.
Now, a new effort based at the University of Kansas School of Engineering aims to design course modules to train students in building and maintaining more secure computer hardware. The work is supported by a $400,000 grant from the National Science Foundation’s Secure and Trustworthy Cyberspace (SaTC) program. Of that, $163,000 will come to KU.
“When we think about cybersecurity, we think about software and network security, but hardware has become an important aspect of security — especially because the supply chain of electronic devices has become globalized,” said Tamzidul Hoque, principal investigator of the new grant and assistant professor of electrical engineering & computer science at KU. “Today, hardware is designed and manufactured by a number of different vendors, not just one specific vendor. For example, the Apple iPhone that you are using has components from untrusted vendors all over the world — that means security of the hardware is very critical.”
Yet, most college and university curricula for electrical and computer engineering and computer science focus on software security rather than hardware security.
“Some universities are trying to offer courses so that students get training on hardware security and then can join the industry,” Hoque said. “But the problem is these courses are often hard to propose or develop by institutions that don’t have a lot of resources. You need to hire a faculty member who’s an expert on hardware security to develop such a new course — and because these courses are usually elective courses, only a few students take them.”
Hoque and his colleagues, Swarup Bhunia of the University of Florida and Tauhidur Rahman of Florida International University, plan to change this by developing course modules on hardware security that can plug seamlessly into existing courses. Once the modules are tested and evaluated at their own institutions, the team plans to offer them free to colleges and universities across the United States. The team considers it as a new paradigm of cybersecurity education that enables the foundational training on security, without offering a new course.
Their efforts could result in a new generation of computer engineers trained to build more secure computer equipment and detect hardware that may be compromised or counterfeit.
“We want to include fundamental concepts of hardware security into existing core hardware design courses such as digital system design and embedded systems that are taken by all the students in a program,” Hoque said. “In that way we can disseminate the concept of hardware security to everyone, without offering a new course. This integration of the basic concepts into existing courses could motivate many students to choose a career path in hardware security — in that case, they can take more advanced courses in future.”
Over the next three years, Hoque and his collaborators will design the modules and integrate them into classes already offered at their institutions: Embedded Systems at KU, Digital Logic at FIU and Digital Systems at UF.
The modules the team will develop and implement in classrooms will encompass six critical hardware-security topics:
- Reverse engineering
- IP protection through obfuscation
- Hardware Trojan attacks
- Physical unclonable functions
- Bus snooping
- Side-channel attacks.
The modules will be internally evaluated by students, senior faculty and the principal investigators themselves — and also evaluated externally by industry experts from firms like Cisco, Intel, Apple and AMD.
According to Hoque, implementing the hardware-security modules into courses taken by all students in computer engineering and computer science programs also will boost the number of students from underrepresented groups who could pursue hardware-security careers.
“In general, the science and technology field has a very limited number of participants from underrepresented groups — and that’s particularly true for hardware security, where there are even fewer participants from those groups,” he said. “When we integrate these security concepts into a core course taken by all students, we automatically include students from underrepresented groups. As they learn something about hardware security, that will automatically enhance their participation in this security area in the future. For example, when it’s time to do a senior design project, a lot of them might do a senior design project on hardware security. Or, some might be planning to go to graduate school — and they’ll also consider pursuing research on hardware security because they learned interesting concepts when they took these core courses.”
What’s more, development of the hardware-cybersecurity modules will support graduate students at all three institutions.
“Each institution will have one graduate student working throughout the project,” Hoque said. “They’ll be helping in the process of developing the course content and also helping when we offer the core courses in obtaining student feedback to see how the students are performing — especially if they’re facing difficulty in coping with these new concepts. This feedback will be used to improve content in the subsequent semesters.”
The KU researcher said introduction of hardware-security concepts into more general computer hardware courses should strengthen students’ grasp of the original core ideas central to those courses.
“When we integrate the security concept, it doesn’t make it difficult for students to learn the actual concept which was supposed to be taught in the course,” Hoque said. “We’ll integrate the security concepts into the original design concepts in a seamless manner. For example, when we teach a design concept, we’ll also give students some type of exercise to strengthen their understanding. Now, in our security integrated modules, we’ll teach that original concept — but when we give them an exercise, we’ll make it security-oriented.”
Photo: Tamzidul Hoque, assistant professor of electrical engineering & computer science, discusses a simulation of hardware attacks with his graduate and undergraduate mentees. Hogue will manage KU's portion of a $400,000 grant from the National Science Foundation to design course modules that train college students to build and maintain more secure computer hardware. Credit: Tamzidul Hoque.