DARPA’s First Bug Bounty Targets Hardware-based Security

The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software. DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering (FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT.

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system's software,” Rebello said.

Featured

Featured Cybersecurity

Webinars

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3