About halfway into a bug bounty program, security researchers haven’t yet broken into systems protected by the System Security Integrated Through Hardware and Firmware program.
The Defense Advanced Research Project Agency has found it made a good choice betting on secure hardware.
About halfway into its three-month Finding Exploits to Thwart Tampering (FETT), bug bounty program, security researchers haven’t yet hacked into systems protected by System Security Integrated Through Hardware and Firmware program. Launched in 2017, SSITH is designed to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.
"I'm happy to report, as of today, no one has successfully penetrated our SSITH defenses," Keith Rebello, the program manager for the microsystems technology office at DARPA, said during the agency's microelectronics conference Aug. 18.
DARPA is moving to adapt the system to fit DOD's needs, and the technology is now being used in commercial application-specific integrated circuit designs, Rebello said. DARPA is planning to create SSITH application-specific chips for DOD applications.
Rebello said continuous monitoring for software vulnerabilities, which can often target underlying hardware, can hinder computer systems' performance while better hardware that can detect and prevent cyberattacks would "obviate the need for software patches," he said.
Cyber vulnerabilities are a constant and evolving threat that aren't likely to be completely eradicated. But Rebello said SSITH's capabilities could eliminate entire classes of cyber vulnerabilities, such as buffer overflow exploits and computer memory attacks.
DARPA is also developing enhanced security benchmarking software tools that measure computer systems' security performance.
FETT is DARPA's first crowd-sourced bug bounty program and is expected to run through September. During a July 30 call with reporters, DARPA Acting Director Peter Highnam said the effort is one of many to "ensure that DOD always has access to secure chips," which has been an issue of growing concern.
"How to take an existing architecture from whichever country we buy them from, whether it's a special purpose device or a regular CPU, and what else do you add to it to ensure that device honors the machine, honors the model that the manufacturer claims, and how do you embed that within the design process without incurring additional overhead? I think this type of work is incredibly exciting because this is embedding security for all of us and with clear DOD needs," Highnam said.
Highnam said the bounty program garnered 500 entries.
"We've really just opened this up to the people to give it a shot, see if you can break these things," Highnam said.
There is a monetary bounty with an amount that varies by the attack's sophistication, but it wasn't publicly listed. However the acting director said it's more about notoriety than money.
"Fame and glory I think is part of it. For an academic team this is a huge deal," he said.
This article was first posted to FCW, a sibling site to GCN.