DARPA announces SSITH hardware bug bounty program

To help protect electronic systems from common means of exploitation, DARPA launched the System Security Integration Through Hardware and Firmware (SSITH) program in 2017. Instead of relying on patches to ensure the safety of our software applications, SSITH seeks to address the underlying hardware vulnerabilities at the source. Research teams are developing hardware security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software.

To help harden the SSITH hardware security protections in development, DARPA announced on June 8 its first ever bug bounty program called, the Finding Exploits to Thwart Tampering (FETT) Bug Bounty. FETT aims to utilize hundreds of ethical researchers, analysts, and reverse engineers to deep dive into the hardware architectures in development and uncover potential vulnerabilities or flaws that could weaken their defenses. DARPA is partnering with the DoD’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company on this effort. In particular, FETT will utilize Synack’s existing community of vetted, ethical researchers as well as artificial intelligence (AI) and machine learning (ML) enabled technology along with their established vulnerability disclosure process to execute the crowdsourced security engagement.

Bug bounty programs are commonly used to assess and verify the security of a given technology, leveraging monetary rewards to encourage hackers to report potential weaknesses, flaws, or bugs in the technology. This form of public Red Teaming allows organizations or individual developers to address the disclosed issues, potentially before they become significant security challenges.

“The FETT Bug Bounty is a unique take on DARPA’s more traditional program evaluation efforts,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “FETT will open SSITH’s hardware security protections to a global community of ethical researchers with expertise in hardware reserve engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure.”

While most bug bounty programs focus on software evaluation, FETT is unique in making hardware instances available for Red Teaming. Security researchers will be given access to emulated systems running in the Amazon Web Services (AWS) EC2 F1 cloud. Each emulated system is FPGA-based and includes a RISC-V processor core, modified to include the hardware security protections developed under SSITH. The software stack on each emulated system is expected to contain known vulnerabilities, with the SSITH hardware security protections intended to prevent exploitation of these vulnerabilities. These vulnerabilities will be based on common classes of security weaknesses as identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST, including buffer errors, information leakage, resource management, numeric errors, etc. Security researchers will be tasked with devising novel exploit mechanisms to bypass the hardware security protections and sharing their findings through the established disclosure process.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” noted Rebello. While most of Synack’s crowdsourced security engagements run for two weeks or continuous year round, FETT is expected to run from July to September 2020 to allow for extensive analysis and testing of the hardware.

SSITH hardware security protections developed by researchers at SRI International and the University of Cambridge, the Massachusetts Institute of Technology (MIT), University of Michigan, and Lockheed Martin will be available for evaluation. Over the past two years, these research teams have explored a number of different design approaches and their techniques generally involve providing the hardware with more information about what the software is trying to do. With this insight, the hardware can become a more active participant in defense and guard against accidental or malicious transgressions. The research teams are working closely with Galois, a computer science research and development company, to transition the emulated systems to the cloud and support ongoing evaluation efforts.

To help demonstrate the pervasiveness of electronic systems and criticality of their security, researchers will see SSITH defenses used within a number of electronic system application frameworks. This will include a medical records database system, a password authentication system for personal computers, and several additional computer software programs that are utilizing SSITH’s protections.

“Among the vulnerable applications found in FETT is a web-based voter registration system. Successful integration of the SSITH hardware protection technologies aims to ultimately protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system’s software. The goal with this demonstrator, as well as the other application systems, is to show how SSITH technologies could help protect critical infrastructure, and potentially prevent the erosion of trust in things like our election process or healthcare systems,” said Rebello.

Prior to the start of FETT, Synack is running a Capture-the-Flag (CTF) qualifier for any hacker, reverse engineer, or cybersecurity enthusiast interested in gaining access to the SSITH defenses. Security researchers that are not currently Synack Red Team (SRT) members will be provided an opportunity to earn a Technical Assessment ‘Fast Pass’ to join SRT (legal verification steps still required) through the CTF event. Current SRT members that meet the skills criteria will be granted access to the program throughout the life of the engagement. The CTF event is expected to run from June 15-29, 2020. Additional information is available at https://go.synack.com/darpa-ctf-registration-page.html.

Source: DARPA