The Defense Department’s top research body is betting big on the theory that better cybersecurity starts with hardware, and so far it’s proving to be right.
About halfway into its three-month bug bounty program called Finding Exploits to Thwart Tampering (FETT), crowd-sourced hackers haven’t yet been able to crack the Defense Advanced Research Projects Agency’s System Security Integrated Through Hardware and Firmware (SSITH) program.
“I’m happy to report, as of today, no one has successfully penetrated our SSITH defenses,” Keith Rebello, the program manager for the microsystems technology office at DARPA, said during the agency’s microelectronics conference Aug. 18.
DARPA is moving to incorporate the system to fit DOD’s needs, and the technology is now being used in commercial application-specific integrated circuit designs, Rebello said. DARPA is planning to create SSITH application-specific chips for DOD applications.
Rebello said continuous monitoring for software vulnerabilities, which can often target underlying hardware, can hinder computer systems’ performance while better hardware that can detect and prevent cyberattacks would “obviate the need for software patches,” he said.
Cyber vulnerabilities are a constant and evolving threat that aren’t likely to be completely eradicated. But Rebello said SSITH’s capabilities could eliminate entire classes of cyber vulnerabilities, such as buffer overflow exploits and computer memory attacks.
DARPA is also developing enhanced security benchmarking software tools that measure computer systems’ security performance.
FETT is DARPA’s first crowd-sourced bug bounty program between the Defense Digital Service and Synack that launched in July and is expected to run through September. During a July 30 call with reporters, DARPA Acting Director Peter Highnam said the effort is one of many to “ensure that DOD always has access to secure chips,” which has been an issue of growing concern.
“How to take an existing architecture from whichever country we buy them from, whether it’s a special purpose device or a regular CPU, and what else do you add to it to ensure that device honors the machine, honors the model that the manufacturer claims, and how do you embed that within the design process without incurring additional overhead? I think this type of work is incredibly exciting because this is embedding security for all of us and with clear DOD needs,” Highnam said.
Highnam said the bounty program garnered 500 entries.
“We’ve really just opened this up to the people to give it a shot, see if you can break these things,” Highnam said.
There is a monetary bounty with an amount that varies by the attack’s sophistication, but it wasn’t publicly listed. However the acting director said it’s more about notoriety than money.
“Fame and glory I think is part of it. For an academic team this is a huge deal,” he said.
This article first appeared on FCW, a Defense Systems partner site.