On January 13th, the Computing Community Consortium (CCC) held an orientation webinar as an introduction for a CCC visioning workshop on Mechanism Design for Improving Hardware Security to be held in the summer of 2022 (exact date and location TBD). Hosted by workshop organizers Simha Sethumadhavan (Columbia University) and Tim Sherwood (University of California Santa Barbara), the orientation consisted of pre-recorded presentations and a Q&A with the speakers. The slide deck, pre-recorded presentation video, recording of the Q&A session and a transcript of the Q&A are linked and posted on the workshop webpage.
The orientation outlined the goals of the workshop and expanded on what the organizers are looking for in the white papers. We are seeking short white papers to help create the agenda for the workshop and select attendees.
At this workshop, participants will investigate ways to improve the design and uptake of hardware security mechanisms. In addition to looking at traditional technical solutions, the workshop will also consider new mechanisms to incentivize designers, system integrators, and users to create and maintain security of their systems. The workshop will bring together hardware and software security experts and economists and experts in devising and implementing governmental policies.
For participation in this workshop, we request white papers of no more than two pages. Please fill out this wufoo submission form to submit a white paper. Topics of interest include, but are not limited to:
- How do current policies and market structures disincentive hardware oriented security solutions? How do we fix this: what technical and policy frameworks are necessary to make progress in this area?
- What are the mechanisms necessary to enforce a government mandate that says that X% of the performance or cost should be set aside for security? What mechanisms are necessary to determine X? How often should X be determined? Is there a quantitative approach for the organization to use up this security budget? How would this be enforced on user systems? Are there alternate government mandates that are actionable and can be supported technically?
- Is there an equitable way to proportion the benefits of security and impacts of security attacks? What hardware support, if any, is necessary to facilitate this process?
- How do we establish a chain of responsibility for malicious and negligent action while also maintaining privacy?
- How can hardware innovations (e.g. U2F tokens) fundamentally impact software dark economies?
- What incentives are necessary to patch hardware bugs in a timely manner?
- What education/certification requirements are necessary for increasing the awareness and application of hardware security solutions?
- Are there parallels to software certification requirements for hardware? What would these assurance/certification requirements look like?
To learn more about the workshop and its goals check out the workshop webpage and join the workshop planning slack channel. We hope the slack channel will be a place to start conversations, discuss potential topics and answer any questions.