DARPA’s first bug bounty targets hardware-based security

The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software. DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering ( FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. 

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system's software,” Rebello said.  

This article first appeared on GCN, a partner site of Defense Systems.