Kind of. However, I would venture most real world attack scenarios do not leverage HW vulnerabilities. But wait, how do we know what is happening invisibly? And what about state actors? The answer is we do not know, but the economics do not change based on whether an attack is made visible or not. Attacks tend to follow and reveal the path of least impedance. If software attacks are working fine for most, why would anyone spend more on weaponizing a HW exploit?
I just feel like maybe 20 years ago people thought the hardware was the hardware and all the security issues were inevitably to be found in software. I mean, I know that people who work with hardware for a living always say that hardware has always been shit, but it really does feel now like everything is a security vulnerability, in a way that people weren’t looking for previously. Then again, maybe they were, and I just wasn’t paying attention. Ah, to be young and carefree again.
You are right. These days the lower layers are explored in greater detail. There was a noticeable shift over the last decade or so in mainstream security research. HW security has always been a subject of study, but there is renewed interest in microarchitectural attacks since the late 2010's, when speculative execution was shown vulnerable.
