DARPA’s First Bug Bounty Program Highlights Security Successes, Weaknesses

The Defense Advanced Research Projects Agency (DARPA) announced that its first bug bounty program has “proved the value of the secure hardware architectures developed under [DARPA’s] System Security Integration Through Hardware and Firmware (SSITH) program while pinpointing critical areas to further harden defenses.”

The Finding Exploits to Thwart Tampering (FETT) Bug Bounty, which was held from July to October of last year, involved more than 580 cybersecurity researchers and 13,000 hours of hacking exploits. The FETT Bug Bounty was the result of a partnership between DARPA, the Department of Defense’s Defense (DoD) Digital Service (DDS), which is a SWAT-style team within the DoD, and Synack, a crowdsourced security platform.

During the bug bounty, more than 980 SSITH processors were tested and 10 valid vulnerabilities were discovered across all of the secure architecture implementations. Seven of the vulnerabilities were considered “critical” and three were considered “high” by Common Vulnerability Scoring System 3.0 standards.

Despite some vulnerabilities being detected, DARPA viewed the bug bounty as a resounding success.

“Knowing that virtually no system is unhackable, we expected to discover bugs within the processors but FETT really showed us that the SSITH technologies are quite effective at protecting against classes of common software-based hardware exploits,” said Keith Rebello, the DARPA program manager leading SSITH and FETT.

“The majority of the bug reports did not come from exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop any application with a vulnerability that could be exploited in contradiction with the SSITH processors’ security claims. We’re clearly developing hardware defenses that are raising the bar for attackers,” he added.

The SSITH program is a three-phase initiative to develop security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software, DARPA explained in a press release. DARPA further noted that a majority of the critical vulnerabilities identified during FETT resulted in weaknesses introduced by interactions between the SSITH hardware, SSITH firmware, and the operating system software. “This signals that there is an opportunity to investigate approaches for hardware/software co-design and verification approaches that span the hardware-firmware-software boundary to better secure the system,” DARPA said.

Patching was already underway during the bug bounty, with four of the discovered vulnerabilities being patched and validated by the SRT. DARPA said the SSITH research teams are expected to mitigate the remaining vulnerabilities during the ongoing third phase of the program.