As part of continuously tightening cybersecurity, the research arm of the Pentagon- Defense Advanced Research Projects Agency (DARPA) has invited white-hat hackers to test out its security chip. The aim is to establish a more protected and stable foundation for the chips; by introducing a host of attacks, before production. The white-hat hackers stand to gain $25,000 from bugs found.
A DARPA program manager, Keith Rebello had this to say; “we need the researchers to roll their sleeves up and dig into what we’re doing and try to break it.” At this stage in the program, we want to wring out all the bugs we can; this can help the industry break a “vicious cycle” of patching vulnerable systems that have already been deployed.”
He hopes in the commercialization of computer chips coming out of the hardware program in two to four years.
Software and Hardware bug bounty involve separate testing components and techniques. The former is ubiquitary and isn’t hard to sort. But the latter comprises determining how computer chips process data. However, expertise needed in this field is scarce.
This rarity has prompted DARPA to reach out to Synack, a Silicon-based penetration testing company. The bug bounty event slated for July and it will run through September. Synack will test the hackers and filter out the best. Those picked, together with hackers from Synack, will then participate in the program. Synack’s hackers will also examine if the DARPA-backed hardware can impede hacks by revamping current vulnerabilities.
Establishing the goal of the organization, Synack CTO, Mark Kuhr told Cyberscoop, “it’s not about patching the vulnerabilities, it’s about preventing the exploit. Synack CTO Mark Kuhr told CyberScoop.
While protecting the integrity of the chip, the hackers will not be given full access to the chips; instead, they will attempt to crack the systems hosted in a cloud computing network. Voters registration database and Covid-19-related medical records are among the intended targets for the hackers. The selection of those records was due to past cases that saw Russian hackers hacked into Illinois’ voter registration files back in 2016 and the various incidences of government spies trying to get the coronavirus data.
Two years back, a vulnerability in Spectre and Meltdown rendered computer chips ineffective. This incident has been the driving-force of chip-producing companies like Intel, who have pledged to invest more in security. On the other hand, DARPA doesn’t want to take the risk but is working around the clock to avoid the production of flawed chips.
While speaking about the method applied by the parastatal, Keith added, “the way that we prevent [microprocessors] from doing bad things currently is that we patch the software that is sending them the Instructions. We’re just putting Band-Aids [on the problem] … and those Band-Aids can lead to other vulnerabilities and other errors.”
He hopes the computer chips coming out of the hardware program can be commercialized in two to four years.
Joe FitzPatrick, an Oregon-based hardware security instructor said, “the bug bounty’s program’s success will hinge on its ability to attract people with the talent and time to focus on breaking the DARPA hardware. While there may be thousands of bounty hunters capable of finding software issues, the deep architectural stuff they’re looking for takes a unique skill set.”