The Defense Advanced Research Projects Agency (DARPA) has finalized the results of a recent bug bounty event that tested the effectiveness of new hardware- and firmware-based security technologies. Initially, the bug bounty was set up to evaluate the hardware architectures developed under DARPA’s System Security Integration Through Hardware and Firmware (SSITH) program.
The SSITH program aims to develop security architectures and tools in order to avoid exploitation of common types of hardware vulnerability that can be exploited through software exploits. Researchers from Synack, a crowd-sourced security platform, performed the penetration tests on SSITH technologies. The Finding Exploits to Thwart Tampering or FETT bounty discovered 10 vulnerabilities across 980 processors developed under DARPA’s SSITH program. These ten vulnerabilities included seven critical and three high – with most of the critical vulnerabilities down to interactions between the SSITH hardware, SSITH firmware and the operating system software.
Researchers are still working on the final phase of the SSITH program with the objective of developing tested technologies with bolstered security that will ensure protection against all of the weaknesses from the seven classes of the CWE hardware vulnerability classes that SSITH is focused on.