ARLINGTON, Va. Defense Advanced Research Projects Agency (DARPA) officials launched a new program, System Security Integrated Through Hardware and Firmware (SSITH) that aims to protect against cyber intruders at the hardware architecture and circuit level, rather than relying only on software-based security patches. In a closed-door meeting of government contractors on April 21, the Pentagon scientists showed how the secure computer chips could stop 40 percent of current cyber attacks that are exploited through software.
Nobody's thought of making the chips secure before.
“This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software. The SSITH program will complement DARPA software security efforts like High-Assurance Cyber Military Systems (HACMS) and the Cyber Grand Challenge (CGC) by taking advantage of new technologies to develop integrated circuits that are inherently impervious to software end-runs,” said SSITH program manager, Linton Salmon of the Agency’s Microsystems Technology Office.
America's DARPA reckons too many vulnerabilities arise from hardware design errors, so it wanted experts and boffins to propose better hardware-level security mechanisms. Intel's Security Guard Extensions (SGX) is a favourite target for attack boffins crafting proofs-of-concept against the architecture.
The $50 million program is looking initially for research proposals for that lay out how those design tools will work and the microchip security architecture they will build. Later phases will involve the building and testing of prototypes and demonstrations that the tools can be scaled for mass production.
SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration, a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world.
DARPA says it’s looking for “innovative approaches that enable revolutionary advances in science, devices, or systems.” The strategic challenge for participants in the SSITH program will be to develop new integrated circuit (IC) architectures that lack the current software-accessible points of illicit entry, yet retain the computational functions and high-performance the ICs were designed to deliver. They want designers to “limit the permitted hardware to states that are assured to be secure”, without sacrificing performance.
The idea is to break the cycle of fixing vulnerabilities through software updates, even when what’s ultimately being exploited is a security weakness in the hardware.
Another goal of the program is to develop of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of ICs in both Defense Department and commercial electronic systems. The anticipated 39-month program centres on covering development and demonstration of hardware architectures and techniques to measure the security of new hardware designs, including tradeoffs in things like performance, power efficiency, and circuit area.