Tuesday, December 26th 2017

DARPA Believes the Future of Security to be in Additional Processing Hardware

DARPA seems to be taking to heart engineer and cyber-security experts' opinions that hardware-based security would be the best security. The Defense Advanced Research Agency (DARPA), which has appeared in every other sci-fi war movie, has started its System Security Integrated through Hardware and Firmware (SSITH) program, with an initial kick worth $3.6 million to the University of Michigan. The objective? To develop "unhackable" systems, with hardware-based security solutions that become impervious to most software exploits.

Electrical Engineering and Computer Science (EECS) of the University of Michigan Professor Todd Austin, lead researcher on the project, says his team's approach, currently code-named Morpheus, achieves hack-proof hardware by "changing the internal codes once a second". Austin likens Morpheus' defenses to requiring a would-be attacker to solve a new Rubik's Cube every second to crack the chip's security. In this way, the architecture should provide the maximum possible protection against intrusions, including hacks that exploit zero-day vulnerabilities, or those that cybersecurity experts have yet to discover. Morpheus thereby provides a future-proof solution, Austin said. "This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software," SSITH program manager Linton Salmon of the Agency's Microsystems Technology Office.
This approach is a far cry from the usual "patch and pray" philosophy: "To break this cycle and thwart both today's and tomorrow's software attacks, the SSITH program challenges researchers to design security directly at the hardware architecture level," said Salmon. "Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today's software attacks."

The final Morpheus hardware will actually be a hardware version of the Morpheus algorithm that the University of Michigan has already developed, and bases its security chops by constantly changing the location of the protective firmware with hardware - hardware that also constantly scrambles the location of stored, encrypted passwords. A solution that's already being employed in software as of today; however, Austin believes that moving software efforts to a hardware-based solution can eliminate all classes of known vulnerabilities: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection.
Austin said that Morpheus will provide a future-proof solution for cybersecurity, though it's uncertain whether or not this confidence applies to the advent of quantum computing. Whether or not a hardware-solution based on conventional physics is enough to stop a quantum-based computer still remains contested in the field, but DARPA, and the University of Michigan, seem to have their ideas on the subject.
Sources: DARPA, EETimes
Add your own comment

6 Comments on DARPA Believes the Future of Security to be in Additional Processing Hardware

#1
FordGT90Concept
"I go fast!1!11!1!"
In other words, a government sanctioned version of Intel Management Engine/AMD Secure Technology. I wouldn't be surprised if the vulnerabilities in those is what spurred DARPA to create this program.
Posted on Reply
#2
lexluthermiester
FordGT90Concept
In other words, a government sanctioned version of Intel Management Engine/AMD Secure Technology. I wouldn't be surprised if the vulnerabilities in those is what spurred DARPA to create this program.
What they need is a platform built form the ground up that is code-compatible, but not code-dependent or code-vulnerable with current systems. Perhaps using a trinary code set instead of binary.

The real future of data security is, ironically, in the past. Data systems of critical concern need to be taken offline permanently and the feed and reteival information completely manual after strict vetting.
Posted on Reply
#3
Fourstaff
lexluthermiester
Data systems of critical concern need to be taken offline permanently and the feed and reteival information completely manual after strict vetting.
Once you take data offline, it becomes quite a hassle to access on a regular basis though. I would very much like to see a secure system with the convenience of accessing it almost instantly.
Posted on Reply
#4
lexluthermiester
Fourstaff
Once you take data offline, it becomes quite a hassle to access on a regular basis though. I would very much like to see a secure system with the convenience of accessing it almost instantly.
That would be nice. The reality though is that anytime you connect anything to the internet, it becomes inherently insecure to some degree. A completely isolated system might be cumbersome, but it is unhackable unless you are physically present, a condition which can be strictly controlled. An alternate solution is to have scheduled connection access, IE a system which is only connected at scheduled times and is then physically disconnected after. Or variation of that, a system which can be connected "on-demand" whereby those with clearence to connect and access use a form of secured communication to request connection, do the work needed and then disconnect upon completion.
Posted on Reply
#5
_JP_
Hardware-based security also means hardware-based exploits/backdoors like we've seen with Intel's ME recently (and with various SoCs).
Allegations like "provides a future-proof solution" must always be said to secure funding, but have been rendered null since forever because such is the nature of technology (be it security or feature-wise).
It might provide some level of novel security over what exists right now, be government approved and whatever, but not making it air-gapped alone makes it fully vulnerable, for example.
Also, no software patching means hardware revisions and field replacements. I'm sure the USA's government (or any other) funding can take care of that... :rolleyes:
Posted on Reply
#6
R-T-B
FordGT90Concept
In other words, a government sanctioned version of Intel Management Engine/AMD Secure Technology. I wouldn't be surprised if the vulnerabilities in those is what spurred DARPA to create this program.
That's my first thought.

Unless they fully release the ASIC hardwares FPGA source, I won't trust it. And even then, I'm skeptical that's what's getting put in the chip.
Posted on Reply