DARPA makes hardware bug bounty platform open source
Defense Advanced Research Projects Agency (DARPA) has made its hardware vulnerability disclosure platform for white-hat hackers open source.
The platform, known as Finding Exploits to Thwart Tampering (FETT), was first launched last year, and the agency hopes that moving to an open-source structure will help ethical hackers to spot flaws with chip design and aid the creation of new processor prototypes.
The system virtualizes hardware and firmware, giving hackers a full range of access to chip designs before they are produced and installed into agency systems.
“We see value in making this research available to the broader [research and development] community for testing and evaluating processor designs to ensure they are robust and secure,” said Keith Rebello, the DARPA program manager leading FETT’s parent program, System Security Integration Through Hardware and firmware (SSITH). “Our aim is for researchers and developers to leverage the SSITH security evaluation framework to help create a common security benchmark that can be used to compare secure processor designs.”
DARPA teamed up with penetration testing company Synack to supply and vet hackers and software company Galois to build the platform. DARPA called the platform a “first-of-its-kind infrastructure” to virtually crowdsource the analysis of future processor technologies and find security gaps before chips are finalized as a means to break the so-called “patch-and-pray” cycle.
The types of exploits the program hopes ethical hackers will find before adversaries do are common classes of hardware vulnerabilities exploited through software that target electronic systems in a chip.
“It’s not about patching the vulnerabilities, it’s about preventing the exploit,” Synack CTO Mark Kuhr told CyberScoop when the program launched.
DARPA has also moved to an open-source structure for the baseline RISC-V processor designs used by the SSITH program. The designs provide a jumping-off point for developers and allow prototypes to be tested in a virtual environment before being produced.