Legend has it that John Quincy Adams, while serving in the U.S. House of Representatives, positioned his desk in the U.S. Capitol’s Statuary Hall so he could overhear the conversations of the opposition across the room. As the story goes, the curious acoustical “whispering gallery” produced by the hall’s ceiling design allowed Adams to exploit this effect, unintended but inherent in the architecture, by turning an integral feature of the building against his opponents.
Fast forward to modern times. Cyber attackers similarly hunt for exploits in computing systems via a phenomenon colloquially described as “weird machines.” Simply translated, the phrase means that a system’s own design and features can accidentally help an attacker operate the system in ways never intended. Unrelated, benign features across the system unwittingly add up to an unexpected or emergent execution engine that is ready to run attackers’ exploits.
For the Hardening Development Toolchains Against Emergent Execution Engines (HARDEN) program, DARPA selected teams to create practical tools that will prevent exploitation of integrated computing systems by disrupting the patterns of robust, reliable exploits used by attackers, and depriving the attackers of emergent execution engines.
“Weird machines can provide tremendous advantages to attackers who manage to discover and control emergent behaviors in their targets,” said Sergey Bratus, HARDEN program manager in DARPA’s Information Innovation Office. “HARDEN aims to deny these advantages, by combining ethical hackers’ growing understanding of how attackers turn parts of modern computing systems against the whole with the pioneering formal methods and automated software analysis developed with DARPA’s support. It stands to reason that ethical hackers and non-traditional performers play a key role in HARDEN.”
Attackers increasingly target the software that runs when computers boot up so they can dodge security protections before they are activated. These parts of computing systems provide the “root of trust” for the rest of the system – i.e. compromising these parts of a system destroys its trustworthiness. HARDEN will apply its combination of ethical hacker insights, mathematical models, and automation to secure the critical root-of-trust parts of systems.
The program will run for 48 months and is organized into three phases: Phases 1 and 2 will each be 18-months, followed by a 12-month Phase 3. Work performed by HARDEN teams will span several major technical areas, such as developing tools for software developers to account for emergent behaviors and creating models of emergent execution. Notably, several organizations selected for HARDEN are direct descendants of DARPA’s Cyber Fast Track program and Cyber Grand Challenge, both of which reached out to the ethical hacking community and helped diversify and grow their ranks. The selected performers include:
- Arizona State University
- Kudu Dynamics
- Narf Industries
- River Loop Security
- Riverside Research Institute
- University of California, Santa Barbara
An additional performer may be added, pending contract finalization.
Cromulence and the University of Illinois Urbana-Champaign will serve as proxies for the offense and test effectiveness of the proposed mitigations. Northrop Grumman will serve as the integration and systems engineering evaluator.
According to Bratus, these teams include a number of the world’s leading experts in exploiting and defending root-of-trust and embedded systems.