A supercomputer-powered genetic study of COVID-19 patients has spawned a possible breakthrough into how the novel coronavirus causes disease—and points toward new potential therapies to treat its worst symptoms.
The genetic data mining research uncovered a common pattern of gene activity in the lungs of symptomatic COVID-19 patients, which when compared to gene activity in healthy control populations revealed a mechanism that appears to be a key weapon in the coronavirus’s arsenal.
The good news is there are already drugs—a few of which are already FDA-approved—aimed at some of these very same pathologies.
“We think we have a core mechanism that explains a lot of the symptoms where the virus ends up residing,” said Daniel Jacobson, chief scientist for computational systems biology at Oak Ridge National Labs in Oak Ridge, Tenn.
The mechanism, detailed in Jacobson’s group’s new paper in the journal eLife, centers around a compound the body produces to regulate blood pressure, called bradykinin. A healthy body produces small amounts of bradykinin to dilate blood vessels and make them more permeable. Which typically lowers blood pressure.
However, Jacobson said, lung fluid samples from COVID-19 patients consistently revealed over-expression of genes that produce bradykinin, while also under-expressing genes that would inhibit or break down bradykinin.
In other words, the new finding predicts a hyper-abundance of bradykinin in a coronavirus patient’s body at the points of infection, which can have well-known and sometimes deadly consequences. As Jacobson’s paper notes, extreme bradykinin levels in various organs can lead to dry coughs, myalgia, fatigue, nausea, vomiting, diarrhea, anorexia, headaches, decreased cognitive function, arrhythmia and sudden cardiac death. All of which have been associated with various manifestations of COVID-19.
The bradykinin genetic discovery ultimately came courtesy of Oak Ridge’s supercomputers Summit and Rhea, which crunched data sets representing some 17,000 genetic samples while comparing each of these samples to some 40,000 genes.
Summit, the world’s second fastest supercomputer as of June, ran some 2.5 billion correlation calculations across this data set. It took Summit one week to run these numbers, compared to months of compute time on a typical workstation or cluster.
Jacobson said that the genetic bradykinin connection the team made may have rendered COVID-19 a little less mysterious. “Understanding some of these fundamental principles gives us places to start,” he said. “It’s not as much of a black box anymore. We think we have good indications of the mechanisms. So now how do we attack those mechanisms to have better therapeutic outcomes?”
One of the most persistent and deadly outcomes of extreme COVID disease involves the lungs of patients filling with fluid, forcing the patient to fight for every breath. There, too, the mechanism and genetic pathway the researchers have uncovered could possibly explain what’s going on.
Because bradykinin makes blood vessels more permeable, lung tissue gets inundated with fluid that begins to make it swell. “You have two interconnected pathways, and the virus can tilt the balance to these two pathways with a catastrophic outcome,” Jacobson said. “The bradykinin cascade goes out control, and that allows fluid to leak out of the blood vessels, with immune cells infiltrating out. And you effectively have fluid pouring into your lungs.”
The presence of typically blood-borne immune cells in the lungs of some patients can, Jacobson said, also produce extreme inflammation and out-of-control immune responses, which have been observed in some coronavirus cases.
But another genetic tendency this work revealed was up-regulation in the production of hyaluronic acid. This compound is slimy to the touch. In fact, it’s the primary component in snail slime. And it has the remarkable property of being able to absorb 1000 times its own weight in water.
The team also discovered evidence of down-regulated genes in COVID patients that might otherwise have kept hyaluronic acid levels in check. So with fluid inundating the lungs and gels that absorb those fluids being over-produced as well, a coronavirus patient’s lung, Jacobson said, “fills up with a jello-like hydrogel.”
“One of the causes of death is people are basically suffocating,” Jacobson said. “And we may have found the mechanisms responsible for how this gets out of control, why all the fluid is leaking in, why you’re now producing all this hyaluronic acid—this gelatin-like substance—in your lung, and possibly why there are all these inflammatory responses.”
Jacobson’s group’s paper then highlights ten possible therapies developed for other conditions that might also address the coronavirus's "bradykinin storm" problem. Potential therapies include compounds like icatibant, danazol, stanozolol, ecallantide, berinert, cinryze and haegarda, all of whose predicted effect is to reduce bradykinin levels in a patient. Even Vitamin D, whose observed deficiency in COVID-19 patients is also explained by the group’s research, could play a role in future COVID-19 therapies.
None of which, it’s important to stress, has yet been tested in clinical trials. But, Jacobson said, they’re already in touch with groups who are considering testing these new findings and recommended therapies.
“We have to get this message out,” Jacobson said. “We have started to be contacted by people. But … clinical partners and funding agencies who will hopefully support this work is the next step that needs to happen.”
The IEEE Spectrum Top Programming Languages app synthesizes 11 metrics from eight sources to arrive at an overall ranking of language popularity. The sources cover contexts that include social chatter, open-source code production, and job postings. Below, you’ll find information about how we choose which languages to track and the data sources we use to do it.
Starting from a list of over 300 programming languages gathered from GitHub, we looked at the volume of results found on Google when we searched for each one using the template “X programming” where “X” is the name of the language. We filtered out languages that had a very low number of search results and then went through the remaining entries by hand to narrow them down to the most interesting. We labeled each language according to whether or not it finds significant use in one or more of the following categories: Web, mobile, enterprise/desktop, or embedded environments.
Our final set of 52 languages includes names familiar to most computer users, such as Java, stalwarts like Cobol and Fortran, and languages that thrive in niches, like Haskell. We gauged the popularity of each using 11 metrics across eight sources in the following ways:
We measured the number of hits for each language by using Google’s API to search for the template “X programming.” This number indicates the volume of online information resources about each programming language. We took the measurement in April 2020, so it represents a snapshot of the Web at that particular moment in time. This measurement technique is also used by the oft-cited TIOBE rankings.
We measured the index of each language as reported by Google Trends using the template “X programming” in April 2020. This number indicates the demand for information about the particular language, because Google Trends measures how often people search for the given term. As it measures searching activity rather than information availability, Google Trends can be an early cue to up-and-coming languages. Our methodology here is similar to that of the Popularity of Programming Language (PYPL) ranking.
We measured the number of hits on Twitter for the template “X programming” for the 12 months ending April 2020 using the Twitter Search API. This number indicates the amount of chatter on social media for the language and reflects the sharing of online resources like news articles or books, as well as physical social activities such as hackathons.
GitHub is a site where programmers can collaboratively store repositories of code. Using the GitHub API and GitHub tags, we measured two things for the 12 months ending April 2020: (1) the number of new repositories created for each language, and (2) the number of active repositories for each language, where “active” means that someone has edited the code in a particular repository. The number of new repositories measures fresh activity around the language, whereas the number of active repositories measures the ongoing interest in developing each language.
Stack Overflow is a popular site where programmers can ask questions about coding. We measured the number of questions posted that mention each language for the 12 months ending April 2020. Each question is tagged with the languages under discussion, and these tags are used to tabulate our measurements using the Stack Exchange API.
Reddit is a news and information site where users post links and comments. On Reddit we measured the number of posts mentioning each of the languages, using the template “X programming” from June 2019 to June 2020 across any subreddit on the site. We collected data using the Reddit API.
Hacker News is a news and information site where users post comments and links to news about technology. We measured the number of posts that mentioned each of the languages using the template “X programming” for the 12 months ending April 2020. Just like those used by the websites Topsy, Stack Overflow, and Reddit, this metric also captures social activity and information sharing around the various languages. We used the Algolia Search API.
We measured the demand for different programming languages on the CareerBuilder job site. We measure the number of fresh job openings (those that are less than 30 days old) on the U.S. site that mention the language. Because some of the languages we track could be ambiguous in plain text—such as D, Go, J, Processing, and R—we use strict matching of the form “X programming” for these languages. For other languages we use a search string composed of “X AND programming,” which allows us to capture a broader range of relevant postings. We collected data in July 2020 using the CareerBuilder API, courtesy of CareerBuilder, which gave us access now that the API no longer publicly provides this information
IEEE Job Site
We measured the demand for different programming languages in job postings on the IEEE Job Site. Because some of the languages we track could be ambiguous in plain text—such as D, Go, J, Processing, and R—we use strict matching of the form “X programming” for these languages. For other languages we use a search string composed of “X AND programming,” which allows us to capture a broader range of relevant postings. Because no externally exposed API exists for the IEEE Job Site, we extracted data using an internal custom-query tool in May 2020.
IEEE Xplore Digital Library
IEEE maintains a digital library with over 3.6 million conference and journal articles covering a range of scientific and engineering disciplines. We measured the number of articles that mention each of the languages in the template “X programming” for the years 2019 and 2020. This metric captures the prevalence of the different programming languages as used and referenced in scholarship. We collected data using the IEEE Xplore API.
Facebook’s challenge is huge. Billions of pieces of content—short and long posts, images, and combinations of the two—are uploaded to the site daily from around the world. And any tiny piece of that—any phrase, image, or video—could contain so-called bad content.
In its early days, Facebook relied on simple computer filters to identify potentially problematic posts by their words, such as those containing profanity. These automatically filtered posts, as well as posts flagged by users as offensive, went to humans for adjudication.
In 2015, Facebook started using artificial intelligence to cull images that contained nudity, illegal goods, and other prohibited content; those images identified as possibly problematic were sent to humans for further review.
By 2016, more offensive photos were reported by Facebook’s AI systems than by Facebook users (and that is still the case).
In 2018, Facebook CEO Mark Zuckerberg made a bold proclamation: He predicted that within five or ten years, Facebook’s AI would not only look for profanity, nudity, and other obvious violations of Facebook’s policies. The tools would also be able to spot bullying, hate speech, and other misuse of the platform, and put an immediate end to them.
Today, automated systems using algorithms developed with AI scan every piece of content between the time when a user completes a post and when it is visible to others on the site—just fractions of a second. In most cases, a violation of Facebook’s standards is clear, and the AI system automatically blocks the post. In other cases, the post goes to human reviewers for a final decision, a workforce that includes 15,000 content reviewers and another 20,000 employees focused on safety and security, operating out of more than 20 facilities around the world.
In the first quarter of this year, Facebook removed or took other action (like appending a warning label) on more than 9.6 million posts involving hate speech, 8.6 million involving child nudity or exploitation, almost 8 million posts involving the sale of drugs, 2.3 million posts involving bullying and harassment, and tens of millions of posts violating other Facebook rules.
Right now, Facebook has more than 1,000 engineers working on further developing and implementing what the company calls “integrity” tools. Using these systems to screen every post that goes up on Facebook, and doing so in milliseconds, is sucking up computing resources. Facebook chief technology officer Mike Schroepfer, who is heading up Facebook’s AI and integrity efforts, spoke with IEEE Spectrum about the team’s progress on building an AI system that detects bad content.
Since that discussion, Facebook’s policies around hate speech have come under increasing scrutiny, with particular attention on divisive posts by political figures. A group of major advertisers in June announced that they would stop advertising on the platform while reviewing the situation, and civil rights groups are putting pressure on others to follow suit until Facebook makes policy changes related to hate speech and groups that promote hate, misinformation, and conspiracies.
Facebook CEO Mark Zuckerberg responded with news that Facebook will widen the category of what it considers hateful content in ads. Now the company prohibits claims that people from a specific race, ethnicity, national origin, religious affiliation, caste, sexual orientation, gender identity, or immigration status are a threat to the physical safety, health, or survival of others. The policy change also aims to better protect immigrants, migrants, refugees, and asylum seekers from ads suggesting these groups are inferior or expressing contempt. Finally, Zuckerberg announced that the company will label some problematic posts by politicians and government officials as content that violates Facebook’s policies.
Schroepfer indicated that Facebook’s AI systems are designed to quickly adapt to changes in policy. “I don’t expect considerable technical changes are needed to adjust,” he told Spectrum.
This interview has been edited and condensed for clarity.
IEEE Spectrum: What are the stakes of content moderation? Is this an existential threat to Facebook? And is it critical that you deal well with the issue of election interference this year?
Schroepfer: It’s probably existential; it’s certainly massive. We are devoting a tremendous amount of our attention to it.
The idea that anyone could meddle in an election is deeply disturbing and offensive to all of us here, just as people and citizens of democracies. We don’t want to see that happen anywhere, and certainly not on our watch. So whether it’s important to the company or not, it’s important to us as people. And I feel a similar way on the content-moderation side.
There are not a lot of easy choices here. The only way to prevent people, with certainty, from posting bad things is to not let them post anything. We can take away all voice and just say, “Sorry, the Internet’s too dangerous. No one can use it.” That will certainly get rid of all hate speech online. But I don’t want to end up in that world. And there are variants of that world that various governments are trying to implement, where they get to decide what’s true or not, and you as a person don’t. I don’t want to get there either.
My hope is that we can build a set of tools that make it practical for us to do a good enough job, so that everyone is still excited about the idea that anyone can share what they want, and so that Facebook is a safe and reasonable place for people to operate in.
Spectrum: You joined Facebook in 2008, before AI was part of the company’s toolbox. When did that change? When did you begin to think that AI tools would be useful to Facebook?
Schroepfer: Ten years ago, AI wasn’t commercially practical; the technology just didn’t work very well. In 2012, there was one of those moments that a lot of people point to as the beginning of the current revolution in deep learning and AI. A computer-vision model—a neural network—was trained using what we call supervised training, and it turned out to be better than all the existing models.
Spectrum: How is that training done, and how did computer-vision models come to Facebook?
Schroepfer: Say I take a bunch of photos and I have people look at them. If they see a photo of a cat, they put a text label that says cat; if it’s one of a dog, the text label says dog. If you build a big enough data set and feed that to the neural net, it learns how to tell the difference between cats and dogs.
Prior to 2012, it didn’t work very well. And then in 2012, there was this moment where it seemed like, “Oh wow, this technique might work.” And a few years later we were deploying that form of technology to help us detect problematic imagery.
Spectrum: Do your AI systems work equally well on all types of prohibited content?
Schroepfer: Nudity was technically easiest. I don’t need to understand language or culture to understand that this is either a naked human or not. Violence is a much more nuanced problem, so it was harder technically to get it right. And with hate speech, not only do you have to understand the language, it may be very contextual, even tied to recent events. A week before the Christchurch shooting [New Zealand, 2019], saying “I wish you were in the mosque” probably doesn’t mean anything. A week after, that might be a terrible thing to say.
Spectrum: How much progress have you made on hate speech?
Schroepfer: AI, in the first quarter of 2020, proactively detected 88.8 percent of the hate-speech content we removed, up from 80.2 percent in the previous quarter. In the first quarter of 2020, we took action on 9.6 million pieces of content for violating our hate-speech policies.
Spectrum: It sounds like you’ve expanded beyond tools that analyze images and are also using AI tools that analyze text.
Schroepfer: AI started off as very siloed. People worked on language, people worked on computer vision, people worked on video. We’ve put these things together—in production, not just as research—into multimodal classifiers.
[Schroepfer shows a photo of a pan of Rice Krispies treats, with text referring to it as a “potent batch”] This is a case in which you have an image, and then you have the text on the post. This looks like Rice Krispies. On its own, this image is fine. You put the text together with it in a bigger model; that can then understand what’s going on. That didn’t work five years ago.
Spectrum: Today, every post that goes up on Facebook is immediately checked by automated systems. Can you explain that process?
Schroepfer: You upload an image and you write some text underneath it, and the systems look at both the image and the text to try to see which, if any, policies it violates. Those decisions are based on our Community Standards. It will also look at other signals on the posts, like the comments people make.
It happens relatively instantly, though there may be times things happen after the fact. Maybe you uploaded a post that had misinformation in it, and at the time you uploaded it, we didn’t know it was misinformation. The next day we fact-check something and scan again; we may find your post and take it down. As we learn new things, we’re going to go back through and look for violations of what we now know to be a problem. Or, as people comment on your post, we might update our understanding of it. If people are saying, “That’s terrible,” or “That’s mean,” or “That looks fake,” those comments may be an interesting signal.
Spectrum: How is Facebook applying its AI tools to the problem of election interference?
Schroepfer: I would split election interference into two categories. There are times when you’re going after the content, and there are times you’re going after the behavior or the authenticity of the person.
On content, if you’re sharing misinformation, saying, “It’s super Wednesday, not super Tuesday, come vote on Wednesday,” that’s a problem whether you’re an American sitting in California or a foreign actor.
Other times, people create a series of Facebook pages pretending they’re Americans, but they’re really a foreign entity. That is a problem on its own, even if all the content they’re sharing completely meets our Community Standards. The problem there is that you have a foreign government running an information operation.
There, you need different tools. What you’re trying to do is put pieces together, to say, “Wait a second. All of these pages—Martians for Justice, Moonlings for Justice, and Venusians for Justice"—are all run by an administrator with an IP address that’s outside the United States. So they’re all connected, even though they’re pretending to not be connected. That’s a very different problem than me sitting in my office in Menlo Park [Calif.] sharing misinformation.
I’m not going to go into lots of technical detail, because this is an area of adversarial nature. The fundamental problem you’re trying to solve is that there’s one entity coordinating the activity of a bunch of things that look like they’re not all one thing. So this is a series of Instagram accounts, or a series of Facebook pages, or a series of WhatsApp accounts, and they’re pretending to be totally different things. We’re looking for signals that these things are related in some way. And we’re looking through the graph [what Facebook calls its map of relationships between users] to understand the properties of this network.
Spectrum: What cutting-edge AI tools and methods have you been working on lately?
Schroepfer: Supervised learning, with humans setting up the instruction process for the AI systems, is amazingly effective. But it has a very obvious flaw: the speed at which you can develop these things is limited by how fast you can curate the data sets. If you’re dealing in a problem domain where things change rapidly, you have to rebuild a new data set and retrain the whole thing.
Self-supervision is inspired by the way people learn, by the way kids explore the world around them. To get computers to do it themselves, we take a bunch of raw data and build a way for the computer to construct its own tests. For language, you scan a bunch of Web pages, and the computer builds a test where it takes a sentence, eliminates one of the words, and figures out how to predict what word belongs there. And because it created the test, it actually knows the answer. I can use as much raw text as I can find and store because it’s processing everything itself and doesn’t require us to sit down and build the information set. In the last two years there has been a revolution in language understanding as a result of AI self-supervised learning.
Spectrum: What else are you excited about?
Schroepfer: What we’ve been working on over the last few years is multilingual understanding. Usually, when I’m trying to figure out, say, whether something is hate speech or not I have to go through the whole process of training the model in every language. I have to do that one time for every language. When you make a post, the first thing we have to figure out is what language your post is in. “Ah, that’s Spanish. So send it to the Spanish hate-speech model.”
We’ve started to build a multilingual model—one box where you can feed in text in 40 different languages and it determines whether it’s hate speech or not. This is way more effective and easier to deploy.
To geek out for a second, just the idea that you can build a model that understands a concept in multiple languages at once is crazy cool. And it not only works for hate speech, it works for a variety of things.
When we started working on this multilingual model years ago, it performed worse than every single individual model. Now, it not only works as well as the English model, but when you get to the languages where you don’t have enough data, it’s so much better. This rapid progress is very exciting.
Spectrum: How do you move new AI tools from your research labs into operational use?
Schroepfer: Engineers trying to make the next breakthrough will often say, “Cool, I’ve got a new thing and it achieved state-of-the-art results on machine translation.” And we say, “Great. How long does it take to run in production?” They say, “Well, it takes 10 seconds for every sentence to run on a CPU.” And we say, “It’ll eat our whole data center if we deploy that.” So we take that state-of-the-art model and we make it 10 or a hundred or a thousand times more efficient, maybe at the cost of a little bit of accuracy. So it’s not as good as the state-of-the-art version, but it’s something we can actually put into our data centers and run in production.
Spectrum: What’s the role of the humans in the loop? Is it true that Facebook currently employs 35,000 moderators?
Schroepfer: Yes. Right now our goal is not to reduce that. Our goal is to do a better job catching bad content. People often think that the end state will be a fully automated system. I don’t see that world coming anytime soon.
As automated systems get more sophisticated, they take more and more of the grunt work away, freeing up the humans to work on the really gnarly stuff where you have to spend an hour researching.
We also use AI to give our human moderators power tools. Say I spot this new meme that is telling everyone to vote on Wednesday rather than Tuesday. I have a tool in front of me that says, “Find variants of that throughout the system. Find every photo with the same text, find every video that mentions this thing and kill it in one shot.” Rather than, I found this one picture, but then a bunch of other people upload that misinformation in different forms.
Another important aspect of AI is that anything I can do to prevent a person from having to look at terrible things is time well spent. Whether it’s a person employed by us as a moderator or a user of our services, looking at these things is a terrible experience. If I can build systems that take the worst of the worst, the really graphic violence, and deal with that in an automated fashion, that’s worth a lot to me.
Over the course of the Syrian civil war that has been raging since 2011, the number of displaced refugees has been growing at an alarming rate. The Rukban refugee camp at the nation’s southern border near Jordan is one eye-opening example. According to UN data, the number of refugee tents set up in the area has increased from roughly 132 to 11,702 over the four-year period between 2015 and 2019.
Being able to monitor the expansion of refugee camps is important for humanitarian planning and resource allocation. But keeping a reliable count can prove challenging when refugee camps become so large. To support these efforts, several models have been developed to analyze satellite data and estimate the population of refugee camps based on the number of tents that are detected. One recent DARPA-funded research project has led to a new machine learning algorithm with high precision and accuracy in accomplishing the task. (In this case, precision and accuracy are closely related but not synonymous. Accuracy refers to the ratio of all correctly identified pixels—with and without tents; precision is the correct identification of tent-containing pixels only.) The new model is described in a recent publication in IEEE Geoscience and Remote Sensing Letters.
Jiang Li, a professor at Old Dominion University, is a co-developer of the new model. The program was trained and tested using satellite data across two time points, in 2016 and 2017. It takes satellite images and breaks them down into arbitrary pieces, extracting spectral and spatial information. Filters help classify the data at the pixel level. This approach is referred to as a fully convolutional network (FCN) model.
In their study, the researchers compared their FCN model to several others, finding modest increases in accuracy and substantial increases in precision. Their model was up to 4.49 percent more accurate than the others, and as much as 41.99 percent more precise.
“In the validation data, manual labelling showed 775 tents and our FCN model discovered 763 tents, with 1.55 percent error,” says Li. “All other competing models have errors ranging from 12.9 percent to 510.90 percent [meaning they drastically overcounted the number of tents], and are much less accurate.”
With the model developed, Li says his team is waiting for guidance from DARPA before implementing the tool in a real-world setting. “We are certain that real applications of our new model will require us to connect to some potential users, such as UNOSAT, DHS, and other government agencies. This process may take time,” he says. “In any event, our model is generic and can be adapted to other applications such as flood and hurricane damage assessment, urban change detection, et cetera.”
While it’s certainly true that the model could be adapted for other applications, Li cautions that the process could be labor intensive. His team relied on an existing database of labeled image data to build the tent-sensing FCN model, but adapting the model for other purposes could potentially mean manually labelling a new dataset of relevant images.
“The data hungry problem is currently a big hurdle for this application. We are investigating state-of-the-art data augmentation strategies and active learning methods as alternatives in order to further improve training efficiency,” says Li.
With the expanding scale of modern networks, security teams often face challenges around maintaining control and visibility across multiple virtual private clouds (VPCs) and network segments. Software-defined networks (SDNs) provide centralized management of your cloud fabric, enabling higher granularity of control over north-south and east-west traffic flows between VPCs. This allows for the selective blocking of potentially malicious inbound and outbound traffic while continuing the flow of normal traffic. Leveraging SDN fabrics alongside solutions such as cloud-based firewalls and tools such as VPC Flow Logs can enhance traffic visibility and control while upholding your security posture.
In this webinar, SANS and AWS Marketplace provide guidance on creating and implementing a policy-driven SDN architecture in the cloud. Additionally, they will present real-world use cases of successful implementations that have been deployed in Amazon Web Services (AWS) environments.
This is a guest post. The views expressed here are solely those of the authors and do not represent positions of IEEE Spectrum or the IEEE.
Thanks to Moore’s Law, the number of transistors in our computing devices has doubled every two years, driving continued growth in computer speed and capability. Conversely, Wirth’s Law indicates that software is slowing more rapidly than hardware is advancing. The net result is that both hardware and software are becoming more complex. With this complexity, the number of discovered software vulnerabilities is increasing every year; there were over 17,000 vulnerabilities reported last year alone. We at DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program argue that the solution lies not in software patches but in rethinking hardware architecture.
In March 2020, MITRE released version 4.0 of its Common Weakness Enumerations (CWE) list, which catalogues weaknesses in computer systems. For the first time, it included categories of hardware vulnerabilities. Among them are: Rowhammer; Meltdown/Spectre; CacheOut; and LVI, which are becoming more prevalent. In fact, a reported 70 percent of cyber-attacks are the result of memory safety issues [pdf] such as buffer overflow attacks—a category of software exploit that takes advantage of hardware’s inherent “gullibility.” These software exploitations of hardware vulnerabilities affect not only the computer systems we use at home, work, and in the cloud, but also the embedded computers we are becoming increasingly reliant on within Internet-of-Things (IoT) devices.
As 5G and IoT proliferation sweeps across the planet, businesses and consumers are benefiting greatly from increased connectivity. However, this connectivity is also introducing greater risks and security concerns than ever before. Gartner forecasts that there will be 5.81 billion IoT endpoints this year, and IDC estimates the number of IoT devices will grow to 41.6 billion in 2025. Despite these staggering statistics, IoT is still in its infancy. I liken it to the Wild West, where companies come and go, regulations and standards are undefined, and security is often an afterthought. This lawlessness can have significant consequences, as we saw in 2016 when the Mirai bot-net attacked domain registration service provider, Dyn. The attack exploited IoT devices like home routers, security cameras, and air quality monitors to perform a denial of service attack that prevented users from accessing major internet platforms and services in the United States and Europe.
Today, the security research community is able to identify many of these cyberattacks quickly, and solutions are distributed to patch the exploited software. These solutions are applied the same way a doctor prescribes medicine to treat a disease. As new diseases are discovered, new medicines must be developed and dispensed. Security researchers are similarly developing new software patches to address newly discovered vulnerabilities. We call this the “patch and pray” mentality.
Every time a new software vulnerability that exploits hardware is identified, a new software patch is issued. However, these patches only address the software layer and do not actually “treat” the underlying problem in the hardware, leaving it open to the creation of new exploits. In the medical field, this type of treatment regime is expensive and doesn’t cure the disease. In recent years, physicians have been advocating preventive medicine to treat the root causes of chronic diseases. Similarly, we need to adapt and find a better way to protect our computer systems.
Nowadays, embedded computers use multiple pieces of free software or open source utilities that are maintained and updated by the open source community. Conversely, many such computers—with applications in sectors such as Industry 4.0, medical, and automotive—are rarely if ever provided with updated software. They just continue to run old versions with known vulnerabilities. Even though they may use open source components, this slow update cycle is due to devices needing to be requalified to make sure that any updates to the kernel or drivers do not break the system.
Requalifying a device is expensive and even more costly when a new version of an operating system is involved. Often this is not even possible, since many companies outsource part or all of the development of their underlying hardware and software platforms in the form of licensed intellectual property (IP). These third-party components are usually licensed for a prebuilt function or as binary blobs and black boxes. The original equipment manufacturer (OEM) cannot modify these proprietary software components without additional licenses.
The net result is that individual third-party IP components are often not updated and only support certain versions of an operating system and software stack, further preventing the device that uses them from being updated. Additionally, the cost of supporting hardware devices is so large that many companies outsource technical support and device management to third-party companies who were not involved with the original development. This provides another barrier to updates; bugs can go unnoticed or unreported back to the development team. It’s also possible that the original team might no longer exist or might have moved on to its next project.
Because of these issues, protection from malware often requires a hardware upgrade. Take, for example, the cell phone market. Updates are often slow or nonexistent if you are not using one of the major brands. The market leaders are able to provide updates because they have tight control of their supply chains and enjoy sales volume sufficient to recoup their costs. Even then, they keep this up for only for a few years before the consumer is forced to upgrade. In between these hardware updates, software updates are employed in the form of the “patch and pray” approach.
DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program seeks to break this cycle of vulnerability exploitation by developing hardware security architectures to protect systems against entire classes of the hardware vulnerabilities that these software exploits attack. SSITH’s philosophy: By treating the problem at its root—the hardware—it can end the need for continual “patch and pray” cycles.
With the National Institutes of Standards and Technologies, we have grouped the MITRE CWE database of vulnerabilities into seven hardware classes. Our research teams have been developing novel methods to stop buffer errors, privilege escalations, resource management attacks, information leakage attacks, numeric errors, code injection attacks, and cryptographic attacks. This approach has shown promising results with minimal impact to power, performance, chip area, and software compatibility. These architectural techniques can be incorporated into the entire range of computer hardware and scale from IoT endpoints to mobile phones to advanced servers and, ultimately, to supercomputers.
One of the challenges when developing secure hardware is quantifying performance. Since there are no agreed upon standards for doing this, SSITH has developed a security evaluation tool to analyze hardware architectures. This tool quantifies the impacts of security on performance, area, and power consumption while using a battery of synthetic software tests to benchmark the hardware designs for security coverage.
To help further mature the SSITH hardware designs and the security benchmark software, DARPA is conducting its first bug bounty program, entitled Finding Exploits to Thwart Tampering (FETT). Run in partnership with the Department of Defense’s Defense Digital Service and trusted crowdsourced security company, Synack, FETT aims to take a crowdsourced red team approach to test and analyze the initial versions of the SSITH technology. From July to September 2020, members of the Synack Red Team will use their best techniques to attack and stress test this technology. By addressing any discovered weaknesses and vulnerabilities, the SSITH research teams will be able to further harden their novel defenses while making computer hardware safer for everyone.
About the Author:
Keith Rebello is program manager at DARPA’s Microsystems Technology Office.