For more than two years, the Pentagon’s research arm has been working with engineers to beef up the security of computer chips before they get deployed in weapons systems or other critical technologies.
Now, the research arm — the Defense Advanced Research Projects Agency (DARPA) — is turning the hardware over to elite white-hat hackers who can earn up to $25,000 for bugs they find. The goal is to throw an array of attacks at the hardware so its foundations are more secure before production.
“We need the researchers to really roll their sleeves up and dig into what we’re doing and try to break it,” said Keith Rebello, a DARPA program manager. Hardware hacks often involve identifying vulnerabilities in how a computer chip handles information, like the flaw uncovered in Intel microprocessors in March that could have allowed attackers to run malicious code early in the boot process.
While software bug bounties are ubiquitous in the cybersecurity industry, those focused on hardware are rarer. To find those specialized skills, DARPA is calling in Synack, a Silicon Valley-based penetration testing company that will run a tryout to weed out less-talented hackers. Those who make the cut, along with Synack’s own vetted hackers, will participate in the bug bounty program, which lasts from July to September.
“It’s not about patching the vulnerabilities, it’s about preventing the exploit,” Synack CTO Mark Kuhr told CyberScoop. Among other techniques, Kuhr’s hackers will be modifying existing exploits to see if the DARPA-backed hardware can block them.
The hackers won’t have physical access to the hardware. Instead, they will try to break into systems hosted in cloud computing networks. Among the targets will be a voter registration database and a vault of COVID-19-related medical records. There is plenty of precedent for the software-side of both of those scenarios: Russian hackers had access to Illinois’ voter registration files in 2016, while various governments’ spies have been targeting coronavirus data.
“At this stage in the program, we want to wring out all the bugs we can,” Rebello said. That, he added, can help the industry break a “vicious cycle” of patching vulnerable systems that have already been deployed. He hopes the computer chips coming out of the hardware program can be commercialized in two to four years.
Getting to the root of the problem
One inspiration for the program came more than two years ago, when the Spectre and Meltdown vulnerabilities that affected virtually all modern computer chips were revealed. Since then, chip giants like Intel have pledged to invest more in security, and more researchers have probed hardware designs. But DARPA wants to keep flawed chips from getting made in the first place.
“The way that we prevent [microprocessors] from doing bad things currently is that we patch the software that is sending them the instructions,” Rebello said. “We’re just kind of putting Band-Aids [on the problem] … and those Band-Aids can lead to other vulnerabilities and other errors.”
Joe FitzPatrick, an Oregon-based hardware security instructor, said the bug bounty program’s success will hinge on its ability to attract people with the talent and time to focus on breaking the DARPA hardware.
“While there may be thousands of bounty hunters capable of finding software issues, the deep architectural stuff they’re looking for takes an uncommon skillset,” he said.