DARPA to eliminate “patch & pray” by baking chips with cybersecurity fortification
In an IT world where security software patches seem to be a dime a dozen, the researchers at the Defense Advanced Research Projects Agency want to take a different approach – bake cybersecurity right into the circuitry.
The research outfit will this month detail a new program called System Security Integrated Through Hardware and Firmware (SSITH) that has as one of its major goals to develop new integrated circuit architectures that lack the current software-accessible points of criminal entry, yet retain the computational functions and high-performance the integrated circuits were designed to deliver. Another goal of the program is the development of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of integrated circuit in both Defense Department and commercial electronic systems, DARPA stated.
+More on Network World: DARPA semantic program seeks to glean truth from obfuscation+
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” said SSITH program manager Linton Salmon of the Agency’s Microsystems Technology Office in a statement. “This race against ever more clever cyber intruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”
Salmon said SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration, a crowd-sourced compendium of security issues that is familiar to the information technology security community. These classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection.
Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses, Salmon said, and you would effectively close more than 40% of the software doors intruders now have available to them.
+More on Network World: DARPA plan would reinvent not-so-clever machine learning systems+
The anticipated 39-month SSITH program focuses on two technical areas.:
1. The development and demonstration of hardware architectures that protect against one or more of the seven vulnerability classes as well as design tools the electronics community would need for including hardware-based security innovations in their design and manufacturing practices.
2. Developing methodologies and metrics for measuring (and representing for system designers) the security status of the newly designed electronic systems and any tradeoffs the hardware-won security might levy in the form of system performance, power needs and efficiency, circuit area, and other standard circuit features.
The SSITH program is just one of the recent programs DARPA has developed to combat cybercriminals and bolster systems security. For example, the agency’s High-Assurance Cyber Military Systems (HACMS) looks to create technology for the construction of high-assurance cyber-physical systems, where high assurance is defined to mean functionally correct and satisfying appropriate safety and security properties.
DARPA’s Extreme DDoS Defense (XD3) system looks to alter the way the military, public and private enterprises protect their networks from high-and low-speed distributed denial-of-service attacks. The agency has awarded seven XD3 multi-million contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs and the University of Pennsylvania to radically alter DDOS defenses. One more contract is expected under the program.
And DARPA held its Cyber Grand Challenge last year — a competition that pitted entrants against each other in the classic hacking game Capture the Flag, never before played by programs running on supercomputers.
Check out these other hot stories: