A novel cybersecurity education programme has been awarded $400,000 by the National Science Foundation (NSF) to train students to design, manufacture, and operate more secure computer hardware.
The funding is part of the National Science Foundation’s Secure and Trustworthy Cyberspace (SaTC) programme, with $163,000 of the grant being awarded to the University of Kansas (KU). The university’s School of Engineering will utilise the funding to devise course modules that provide students with comprehensive insights into building robust computer hardware, significantly improving future cybersecurity.
Why are computer hardware weaknesses overlooked?
An array of the most common cyberattacks are conducted by exploiting computer software vulnerabilities, such as phishing attacks, distributed denial-of-service (DDoS) attacks, malware, and zero-day attacks. However, with the stress of global supply chains being exponentially increased due to the COVID-19 pandemic, the risk of corporate or state espionage via hardware is ever-increasing, with cyber attackers potentially planting malicious ‘trojan’ circuits within computer motherboards through a third-party vendor. This highlights how imperative it is to develop more robust cybersecurity methods in computer hardware.
Tamzidul Hoque, the principal investigator of the new grant and assistant professor of electrical engineering and computer science at KU, said: “When we think about cybersecurity, we think about software and network security, but hardware has become an important aspect of security — especially because the supply chain of electronic devices has become globalised.
“Today, hardware is designed and manufactured by a number of different vendors, not just one specific vendor. For example, the Apple iPhone that you are using has components from untrusted vendors all over the world — that means the security of the hardware is very critical.”
Despite this apparent vital need for enhanced computer hardware security, the vast majority of educational institutions for computer science and engineering focus their courses on computer software security instead.
“Some universities are trying to offer courses so that students get training on computer hardware security and then can join the industry,” Hoque said. “But the problem is these courses are often hard to propose or develop by institutions that don’t have a lot of resources. You need to hire a faculty member who’s an expert on hardware security to develop such a new course — and because these courses are usually elective courses, only a few students take them.”
Designing a new education system
By collaborating with Swarup Bhunia of the University of Florida and Tauhidur Rahman of Florida International University, Hoque is aiming to integrate computer hardware security modules into existing courses. The modules will be scrupulously tested and evaluated at their respective institutions before being made freely accessible to colleges and universities throughout the US. The researchers believe that this will enhance cybersecurity education without the requirement of implementing a stand-alone course for computer hardware security.
Over the next three years, the modules that the team will apply to the classroom setting will be focused on six vital computer hardware security areas. These are IP protection through obfuscation, Reverse engineering, Hardware Trojan attacks, Physical unclonable functions, side-channel attacks, and physical unclonable functions.
Students, senior faculty members, and principal investigators will appraise the modules independently, in addition to being externally evaluated by industry-leading experts, including Cisco, Intel, Apple, and AMD. Furthermore, the team believes that integrating computer hardware security modules into the course will raise the number of underrepresented groups pursuing careers in the subject.
Hoque said: “In general, the science and technology field has a very limited number of participants from underrepresented groups — and that’s particularly true for hardware security, where there are even fewer participants from those groups.
“When we integrate these security concepts into a core course taken by all students, we automatically include students from underrepresented groups. As they learn something about hardware security, that will automatically enhance their participation in this security area in the future.
“For example, when it’s time to do a senior design project, a lot of them might do a senior design project on hardware security, or some might be planning to go to graduate school — and they’ll also consider pursuing research on hardware security because they learned interesting concepts when they took these core courses.
“Each institution will have one graduate student working throughout the project. They’ll be helping develop the course content and helping when we offer the core courses in obtaining student feedback to see how the students are performing — especially if they’re facing difficulty in coping with these new concepts. This feedback will be used to improve the content in the subsequent semesters.”
The researchers have proclaimed that integrating concepts of computer hardware security into the current curriculum will enhance students’ understanding of the original courses’ core ideas.
“When we integrate the security concept, it doesn’t make it difficult for students to learn the actual concept which was supposed to be taught in the course,” Hoque commented. “We’ll integrate the security concepts into the original design concepts in a seamless manner. For example, when we teach a design concept, we’ll also give students some type of exercise to strengthen their understanding. Now, in our security integrated modules, we’ll teach that original concept — but when we give them an exercise, we’ll make it security-oriented.”
