DARPA assesses value of System Security Integration Through Hardware and Firmware

Defense Advanced Research Projects Agency officials said a review of hacking exploits by cybersecurity researchers proved the value of System Security Integration Through Hardware and Firmware (SSITH) program.

“Knowing that virtually no system is unhackable, we expected to discover bugs within the processors, but Finding Exploits to Thwart Tampering (FETT) really showed us that the SSITH technologies are quite effective at protecting against classes of common software-based hardware exploits,” Keith Rebello, the DARPA program manager leading SSITH and FETT, said. “The majority of the bug reports did not come from exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop any application with a vulnerability that could be exploited in contradiction with the SSITH processors’ security claims. We’re clearly developing hardware defenses that are raising the bar for attackers.”

DARPA noted three months of reviewing more than 13,000 hours of hacking actions from more than 580 cybersecurity researchers. Synack, a crowdsourced security platform tested more than 980 SSITH processors. FETT leveraged the existing community of researchers, and 10 valid vulnerabilities were discovered across all of the secure architecture implementations.

“FETT challenged performers and greatly matured the architectures in development,” Rebello said. “Several of the research teams were driven to document the use and benefits of their security frameworks in a rigorous and understandable way, which will ultimately help third parties understand and adopt these secure processors for operational use. Further, the FETT bug reports provided actionable information that is helping to drive Phase 3 development on SSITH.”