Whilst participatory practice is increasingly adopted in end user studies, there has been far less use of a participatory approach when designing lower down the software stack. As a result, end users are often presented with security controls over which they have no control but for which they retain the responsibility. Conversely, hardware and software engineers struggle to innovate new security control designs that are resilient to new and emerging threats. In a study utilising ethnographic research and stakeholder interviews, we show that there is a siloing of communities of practice between hardware security engineers, software engineers and coders, manufacturers in the technology supply chain and end users. Our findings indicate that this siloing and a lack of participatory practice impedes the development of a more cohesive digital security design that integrates security through the stack from the hardware layer upwards to the OS and application layers. These barriers make difficult the negotiation between what is possible lower down the stack with what is needed and wanted higher up the stack. Our findings suggest that a more holistic and comprehensive participatory design approach is required to negotiate a digital security by design paradigm that more evenly distributes power over and responsibility for security controls throughout the stack. Working with the HCI literature on co-production in design, this paper will suggest that a pathway for breaking through this impasse is to utilise objects in the design process of the hardware secure instruction set architecture as a feedback mechanism to incorporate other sets of designers and users in the design process to create a more workable stack.
|Titel||Proceedings of the 2022 New Security Paradigms Workshop, NSPW 2022|
|Forlag||Association for Computing Machinery|
|Publikationsdato||24 okt. 2022|
|Status||Udgivet - 24 okt. 2022|
|Begivenhed||2022 New Security Paradigms Workshop, NSPW 2022 - North Conway, USA|
Varighed: 24 okt. 2022 → 27 okt. 2022
|Konference||2022 New Security Paradigms Workshop, NSPW 2022|
|Periode||24/10/2022 → 27/10/2022|
|Navn||ACM International Conference Proceeding Series|
Bibliografisk noteFunding Information:
We would like to thank our participants for the time and effort they spent engaging with us. Contributions from Slesinger, Coles-Kemp, and Panteli were funded by ESRC, grant number: ES/V003666/1. For the purpose of open access, the author has applied a Creative Commons Attribution (CC BY) licence to any Author Accepted Manuscript version arising.
In 2019, the Digital Security by Design programme was launched by UKRI in cooperation with DCMS and the NCSC with funding from the Industrial Challenge Research Fund (ICRF). The DSbD programme seeks to develop a security ecosystem in which CHERI can operate. The stated purpose of DSbD is to break the cycle of a perceived “market failure” blocking the wholesale adoption of hardware security. This market failure is defined in two ways. One is the ‘chicken-and-egg’ cycle whereby technology enterprises don’t want to take the financial risk of developing new security hardware without the software ecosystem to support it. The other is the unwillingness of the market to pay a negative externality for digital security where the return on investment and benefits are unclear or intangible. To date one of the most tangible outputs of DSbD is Arm’s Morello programme which has developed an experimental hardware demonstration board implementing CHERI within the ARM ISA. This experimental prototype is being trialled by SME and larger-scale enterprises to identify uses, relevant features and to develop some of the software interface necessary to create a viable CHERI stack.
© 2022 ACM.