DARPA completes FETT bug bounty review
After three months of reviewing more than 13,000 hours of hacking exploits conducted by more than 580 cybersecurity researchers, DARPA announced on January 28 that its Finding Exploits to Thwart Tampering (FETT) Bug Bounty successfully proved the value of the secure hardware architectures developed under its System Security Integration Through Hardware and Firmware (SSITH) program while pinpointing critical areas to further harden defenses.
From July-October 2020, DARPA held its first ever bug bounty program – a crowdsourced, red team exercise used to evaluate and analyze a technology’s defenses. DARPA partnered with the Department of Defense’s Defense Digital Service (DDS), a self-described SWAT team within the Department of Defense, and Synack, a crowdsourced security platform on this effort. More than 980 SSITH processors were tested by Synack’s existing community of researchers and 10 valid vulnerabilities were discovered across all of the secure architecture implementations. FETT leveraged Synack’s penetration testing process to conduct the bug bounty and facilitate communications about the discovered weaknesses. FETT is part of the “Hack the Pentagon” crowdsourced digital defense program operated by DDS.
The SSITH program aims to develop security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software. To help test and evaluate their research efforts, the teams working on SSITH integrated their novel hardware security protections into FPGA-based emulated systems with RISC-V processor cores. Full software stacks were built on top of each system, which were populated with vulnerable applications that could be exploited on unprotected processors. These emulated systems were then provided to the Synack Red Team (SRT) – the organization’s cohort of security researchers – via Amazon Web Services (AWS) EC2 F1 cloud. Once live, the SRT had several months to virtually access the secure processor technology and devise exploit mechanisms to challenge their defenses.
“Knowing that virtually no system is unhackable, we expected to discover bugs within the processors but FETT really showed us that the SSITH technologies are quite effective at protecting against classes of common software-based hardware exploits,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “The majority of the bug reports did not come from exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop any application with a vulnerability that could be exploited in contradiction with the SSITH processors’ security claims. We’re clearly developing hardware defenses that are raising the bar for attackers.”
FETT ran for three months and during that time only 10 vulnerabilities were disclosed by the SRT – seven were considered “critical” and three were considered “high” by Common Vulnerability Scoring System 3.0 standards. A majority of the critical vulnerabilities identified during FETT resulted in weaknesses introduced by interactions between the SSITH hardware, SSITH firmware, and the operating system software. This signals that there is an opportunity to investigate approaches for hardware/software co-design and verification approaches that span the hardware-firmware-software boundary to better secure the system.
During the course of the FETT bug bounty, four of the discovered vulnerabilities were patched and validated by the SRT. The SSITH research teams are expected to mitigate the remaining vulnerabilities during the third phase of the program, or outside of the funded effort.
“FETT challenged performers and greatly matured the architectures in development,” noted Rebello. “Several of the research teams were driven to document the use and benefits of their security frameworks in a rigorous and understandable way, which will ultimately help third parties understand and adopt these secure processors for operational use. Further, the FETT bug reports provided actionable information that is helping to drive Phase 3 development on SSITH.”