DARPA FETT program (DARPAtv/YouTube)

DARPA hardware-based security holding up against white-hat hackers

The Defense Advanced Research Project Agency has found it made a good choice betting on secure hardware.

About halfway into its three-month Finding Exploits to Thwart Tampering (FETT), bug bounty program, security researchers haven’t yet hacked into systems protected by System Security Integrated Through Hardware and Firmware program.  Launched in 2017, SSITH is designed to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.

"I'm happy to report, as of today, no one has successfully penetrated our SSITH defenses," Keith Rebello, the program manager for the microsystems technology office at DARPA, said during the agency's microelectronics conference Aug. 18.

DARPA is moving to adapt the system to fit DOD's needs, and the technology is now being used in commercial application-specific integrated circuit designs, Rebello said. DARPA is planning to create SSITH application-specific chips for DOD applications.

Rebello said continuous monitoring for software vulnerabilities, which can often target underlying hardware, can hinder computer systems' performance while better hardware that can detect and prevent cyberattacks would "obviate the need for software patches," he said.

Cyber vulnerabilities are a constant and evolving threat that aren't likely to be completely eradicated. But Rebello said SSITH's capabilities could eliminate entire classes of cyber vulnerabilities, such as buffer overflow exploits and computer memory attacks.

DARPA is also developing enhanced security benchmarking software tools that measure computer systems' security performance.

FETT is DARPA's first crowd-sourced bug bounty program  and is expected to run through September. During a July 30 call with reporters, DARPA Acting Director Peter Highnam said the effort is one of many to "ensure that DOD always has access to secure chips," which has been an issue of growing concern.

"How to take an existing architecture from whichever country we buy them from, whether it's a special purpose device or a regular CPU, and what else do you add to it to ensure that device honors the machine, honors the model that the manufacturer claims, and how do you embed that within the design process without incurring additional overhead? I think this type of work is incredibly exciting because this is embedding security for all of us and with clear DOD needs," Highnam said.

Highnam said the bounty program garnered 500 entries.

"We've really just opened this up to the people to give it a shot, see if you can break these things," Highnam said.

There is a monetary bounty with an amount that varies by the attack's sophistication, but it wasn't publicly listed. However the acting director said it's more about notoriety than money.

"Fame and glory I think is part of it. For an academic team this is a huge deal," he said.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.