DARPA Stress Tests its Hardware-Centric Security Approach
The Defense Advanced Research Projects Agency launched a cyber security effort several years back designed to replace commonly used security patches for software applications with the ability to spot hardware vulnerabilities at their source.
Researchers working under the initiative, System Security Integration Through Hardware and Firmware (SSITH), have developed secure architectures and tools to protect embedded IoT devices and sensitive databases from common hardware vulnerabilities exploited via software.
The agency now wants to harden those protections by allowing ethical hackers, researchers and “reverse engineers” to hunt for weaknesses and flaws as part of a bug bounty program. The Finding Exploits to Thwart Tampering, or FETT, initiative will use a crowdsourced approach that includes vetted researchers from Synack, a “trusted” security vendor, and its AI and machine learning tools.
“FETT will open SSITH’s hardware security protections to a global community of ethical researchers with expertise in hardware reverse engineering to detect potential vulnerabilities, strengthen the technologies and provide a clear path to disclosure,” said Keith Rebello, DARPA’s program manager leading the security effort.
Once bounty hunters spot software bugs, security flaws and other potential vulnerabilities, they are passed on through a disclosure framework. Developers can then apply those findings to plug security gaps.
DARPA said Monday (June 8) its approach differs from other bug bounty efforts by including a holistic “red teaming” approach, so-called because a separate group of ethical hackers provides an adversarial perspective meant to challenge assumptions, overcome bias and ultimately provide better solutions.
The bug bounty effort also will look beyond tradition software code evaluation by providing red team members with hardware instances. Security researchers will be given access to cloud-based emulations. Those FPGA-based emulations include a RISC-V processor core modified to include hardware security protections developed under the SSITH program. The accompanying software stack includes known vulnerabilities, including buffer, configuration and resource management errors, along with SSITH hardware protections.
“Security researchers will be tasked with devising novel exploit mechanisms to bypass the hardware security protections and sharing their findings through the established disclosure process,” the agency said.
The bug bounty effort will extend from July to September 2020 to allow for deeper analysis and testing of the hardware security approach.
Since the DARPA program was launched, university and industry security researchers have explored different hardware design approaches. Among their conclusions was the need for techniques that provide more information to hardware about specific software tasks.
The hope is a hardware-centric security approach can improve defenses while guarding against accidental and malicious vulnerabilities.
Bounty hunters also will focus on application frameworks used for sensitive systems like medical records databases, password authentication systems and other platforms that incorporate SSITH hardware defenses.
The FETT bug bounty program also includes vulnerable applications like a web-based voter registration system. DARPA hopes to demonstrate that hardware defenses can shield underlying voter information from hackers despite the presence of software vulnerabilities.
The goal is “to show how SSITH technologies could help protect critical infrastructure, and potentially prevent the erosion of trust in things like our election process or healthcare systems,” said Rebello.