This report first appeared on CyberScoop.
Pentagon scientists say they could stop 40 percent of current cyberattacks by producing secure computer chips, and Friday they explain how to a closed-door meeting of government contractors.
The System Security Integrated Through Hardware and firmware, or SSITH, program aims “to develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software,” according to a procurement announcement, called a BAA, from the Defense Advanced Research Projects Agency.
The $50 million program is looking initially for research proposals for that lay out how those design tools will work and the microchip security architecture they will build. Later phases will involve the building and testing of prototypes and demonstrations that the tools can be scaled for mass production.
Only paradigm-shifting researchers need apply: DARPA says it’s looking for “innovative approaches that enable revolutionary advances in science, devices, or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.”
The idea is to break what SSITH program manager Linton Salmon derisively refers to as the “patch and pray” cycle of fixing vulnerabilities through software updates, even when what’s ultimately being exploited is a security weakness in the hardware.
“This race against ever more clever cyber-intruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software,” said Salmon in a statement, adding the program aimed to develop microchips “that are inherently impervious to software end-runs.”
The Common Weakness Enumeration, or CWE, scheme — a crowd-sourced compendium of security vulnerabilities maintained by government contractor MITRE — lists seven classes of hardware security flaws that can be exploited by hackers. DARPA explains them like this:
- Buffer errors: These happen when software is able to get “inappropriate access to memory.”
- Permissions, privilege and access control: These allow “execution of unauthorized operations in a system.”
- Resource management: These allow attackers “improper access” to resources like memory or processing, or “prevent valid users from gaining access to these resources.”
- Code injection: “This vulnerability allows introduction of malicious code to change the course of execution on the hardware.”
- Information leakage: “Inappropriate access to privileged information in the hardware.”
- Crypto errors: “Inappropriate use and execution of cryptography in hardware.”
- Numeric errors: “Exploitation of improper calculation or conversion of numbers … [to] allow subversion of security critical operational decisions and/or resource management.”
Trying to fix these kind of hardware-based security flaws through writing better software “merely salves a symptom without addressing the underlying vulnerability,” which remains available for exploitation in some other way, argues Salmon.
“To break this cycle and thwart both today’s and tomorrow’s software attacks, the SSITH program challenges researchers to design security directly at the hardware architecture level,” he said.
“Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today’s software attacks,” he concluded. The statement adds, without giving a source, that 40 percent of current cyberattacks rely on one of the seven classes of vulnerabilities.
The BAA says that up to $50 million is available for the program, adding that “Multiple awards are anticipated. The amount of resources made available … will depend on the quality of the proposals received and the availability of funds.”
However large or small, the agency will make awards in three phases. The first, 15 months long, will begin this fall. By its end, awardees must demonstrate total protection against at least three classes of vulnerability. Those that do will be eligible for the second and third phases, each a year long, at the end of which they must show total protection against, respectively, five and then all seven of the classes of vulnerability.
Awardees must build chips that work with existing software and be able to assure security “while maintaining the performance and power required for system operation.” By the end of phase two, they must be ready to demonstrate their tools on real chips that will then be attacked by Pentagon “red teams.”
DARPA scientists are holding their Proposers’ Day Friday so that they can meet prospective proposers — and the proposers can meet each other with an eye to collaborating. “DARPA strongly encourages teaming to meet the goals of the program,” states the announcement.