DARPA has announced that its first Bug Bounty program–Finding Exploits to Thwart Tampering (FETT)–has opened its virtual doors to a community of ethical hackers and cybersecurity researchers to uncover potential weaknesses within novel secure processors in development on the System Security Integration Through Hardware and Firmware (SSITH) program.
DARPA has partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company on this effort. FETT is utilizing Synack’s existing community of vetted ethical researchers called the Synack Red Team (SRT), artificial intelligence and machine learning enabled technology, as well as their crowdsourced security testing platform to execute the security engagement. The goal is to enable the research teams working under SSITH to improve their hardware defenses by addressing any discovered weaknesses or bugs following the conclusion of FETT.
To enable even greater participation in FETT from the global cybersecurity community, Synack recently conducted a Capture-the-Flag (CTF) qualifier event that provided interested cyber enthusiasts with a chance to earn a Technical Assessment “Fast Pass” to the Synack Red Team. Anyone that was able to successfully complete the qualifier and meet certain legal verification requirements now has access to FETT and the SSITH defenses for analysis.
“Over 500 researchers registered for Synack’s open Capture-the-Flag qualifier and 24 ultimately qualified for the Technical Assessment ‘Fast Pass’, which is attributed to the high bar set for skilled participants,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “We are encouraged by the level of interest we’re seeing in our effort and the positive turnout from the cybersecurity community to help improve electronic system security for all.”
Qualified participants, including those on Synack’s platform as well as the newly qualified candidates, will now gain access to several instances of the SSITH secure processors. At the launch of FETT, five instances will be available for hacking while an additional three will be made available throughout the duration of the bug bounty program. These secure processors map to the target systems that SSITH aimed to develop during the first two phases of the program, which include 32-bit and 64-bit processors that use the novel defenses.
Within FETT, security researchers will analyze and explore secure hardware architectures and approaches developed by research teams from the University of Cambridge and SRI International; University of Michigan; Lockheed Martin; and Massachusetts Institute of Technology.
University of Cambridge and SRI International
Researchers from Cambridge and SRI International have developed an approach called Capability Hardware Enhanced RISC Instructions (CHERI) that is a fundamental rethinking of the way systems access memory. With CHERI, the team reimagined the hardware, software, and instruction set architectures (ISAs)–or the interface between the two–and how they interact. Conventional hardware instruction sets and the C/C++ programming languages relied on since the 1970s only provide coarse-grained memory protection. This allows coding errors to turn into exploitable security vulnerabilities. To combat this, the researchers developed a new hardware architecture that enables fine-grained memory protection, using what are called capabilities–or memory references that specify how memory can be accessed, what functionality can be used to access the memory, as well as the address ranges. Conventional memory pointers do not provide this level of granularity, leaving the system open to exploits that take advantage of the hardware’s “gullibility” to the software. The capability system only grants access to resources through these capabilities, thus controlling how CPUs, programming languages, and operating systems are able to access the memory.
The CHERI capability system also supports fine-grained software compartmentalization, further bolstering the system against attack. Today, the exploitation of a vulnerability in one piece of code could corrupt the software. With compartmentalization, large pieces of software, like an operating system, are broken down, or decomposed, into smaller pieces of critical code that are then isolated in individual, virtual compartments. If a vulnerability is exploited within the compartment, the affected code is isolated, or compartmentalized, from the rest of the software. This allows the larger software to continue to run unaffected.
Starting at the program’s launch, researchers will have access to a 64-bit CPU base instance with the CHERI approach embedded. To demonstrate how the defenses work, the SRI and Cambridge team have incorporated their secure hardware architecture into a demonstration voter database registration system with synthetically generated voter data running on a FreeBSD distribution with UserLand and common applications.
University of Michigan
Under SSITH, researchers from the University of Michigan have developed a secure hardware architecture called Morpheus that utilizes an ensemble of moving target defenses and churn to protect against attacks that exploit the gap between program and machine-level semantics. With Morpheus, the researchers developed a hardware-based encryption scheme for all pointers that is coupled with other techniques that force attackers to extensively probe the system before attempting an attack, making it impractically difficult to penetrate the system. The approach essentially blocks potential attacks by encrypting and randomly reshuffling key bits of code and data 20 times per second. According to University of Michigan researchers, even if a hacker finds a bug, the information needed to exploit it vanishes 50 milliseconds later. By the system periodically churning its encryption keys and random mappings, exploitable assets are invalidated before an attacker can even get close to using them.
Within FETT, researchers will find a 32-bit microcontroller instance utilizing Morpheus at the launch. To demonstrate how this defense could work on an existing electronic system, the researchers have incorporated the technology into a medical records database server running on FreeRTOS that is housing synthetically generated COVID-19 data. Particularly relevant to the current global pandemic, the demonstration application seeks to show how Morpheus might be able to help defend against attacks on our critical medical infrastructure.
The team from Lockheed Martin has developed an approach on SSITH called Hardware Architecture Resilience by Design (HARD), which aims to provide a lightweight hardware solution that does not require significant modifications to the main CPU pipeline. This approach uses a set of pipelines running in parallel to the primary CPU execution pathway to act as a parallel security co-processor that monitors the main CPU and stands ready to flag any malicious operations. The parallel pipelines monitor the stream of instructions executing on the main CPU pipeline, deriving the current semantic context based on expected patterns of instructions, while looking for an exploitation attempt.
Security researchers will find two instances from Lockheed Martin within FETT at its launch–one is a 32-bit microcontroller instance and the second is a 64-bit CPU instance. Similar to the instances utilizing CHERI and Morpheus, the Lockheed Martin instances will demonstrate their functionality on a few application systems. The 32-bit instance will be used with an IoT-based, over-the-air update client running on FreeRTOS, while the 64-bit CPU instance will be used with a demonstration voter database registration system with synthetically generated voter data running on a Debian Linux distribution with UserLand and common applications.
Massachusetts Institute of Technology (MIT)
Finally, the SSITH research team from MIT has developed a hardware platform called Sanctum, which utilizes an approach that seeks to eliminate entire attack surfaces through isolation, rather than plugging attack-specific information leaks. Without adding undue complexity, Sanctum provides enclaves–or software containers–with strong isolation properties and security guarantees. The approach uses a small, privileged security monitor called Sanctorum, which in conjunction with supporting techniques, provides isolation for enclaved processes across either space or time. This allows enclaves to share hardware resources for performance improvements, but ensures that the enclave state cannot be adversely impacted by external code in a data-dependent manner, either directly or indirectly.
At the launch of FETT, security researchers will have access to a 64-bit CPU instance with Sanctum. The demonstration Linux application will include secure enclaves protecting encryption keys and a password authentication manager.
Now live, the DARPA FETT Bug Bounty is expected to run through September 2020, providing SRT members with an extensive opportunity to analyze, explore, and disclose discovered weaknesses. Following the conclusion of FETT, the SSITH research teams will work to address any discovered and reported bugs to bolster the security of their hardware protections.