DARPA aims to block hardware attacks at the source and reduce the need for software patches and has turned to a new microprocessor design to help achieve that goal.
DARPA first announced the project, dubbed SSITH, in 2017 and Dr. Linton Salmon, program manager in the microsystems technology office at DARPA, presented the project and the first prototype chip at this year’s DEF CON event in Las Vegas. He admitted he had to force the naming of the project — System Security Integration Through Hardware and Firmware — to fit the SSITH acronym.
According to Salmon, DARPA has six teams working on 15 different SSITH prototypes using open source RISC-V cores and ranging from low-end IoT devices up to high-end systems.
“The goal of the program is to provide security against hardware vulnerabilities that are exploited through software [and] to increase security throughout the microelectronics enterprise, whether you’re talking about small IoT devices or you’re talking about a high-performance computing system that costs hundreds of millions of dollars,” Salmon said.
He added that the reason why software was given responsibility for security was likely a function of how quickly technology iterates, but said that just asking software to handle security is “inappropriate.”
“Right now we’re doing patch and pray. If there’s a software weakness that exploits a hardware vulnerability — like buffer overflow — if there’s a patch, you go on the Common Vulnerabilities and Exposures [CVE] index at NIST and it’s ‘This is the attack on that software, and here’s the patch to fix it,'” Salmon said. “The problem is someone finds another way through that same software to exploit that same hardware weakness, and they do it again. Now you get another software patch. And each time you get a software patch, of course there’s this period between the time it’s actually employed for people to break in.”
The main example of this during Linton’s talk was buffer overflow, which Linton said has been a problem for more than 20 years. He said the goal of SSITH would be to block buffer overflow and other hardware attacks at the source and reduce the need for software patches for flaws caused by underlying hardware issue.
“We are trying to make an important step forward in how to make electronic systems secure,” Salmon said. “We address the hardware vulnerabilities at their source and reduce the attack surface from thousands of independent software patches to a few basic hardware approaches.”
Salmon was careful to note that despite presenting SSITH at the DEF CON Voting Village, the purpose of SSITH is “not to make a secure election system” partially because that’s not DARPA’s mission, but also because the goal is much more broad.
DARPA felt the Voting Village would be a good place for a demonstration because it would be a popular open forum with a large interested audience, and because elections are “a critical national infrastructure.” Salmon added that DARPA also brought SSITH to DEF CON because the only way to know the device was secure was to put it out into the world for others to try to break.
“We appreciate the time and effort you will take in breaking our hardware,” Salmon said. However, a DARPA representative in the Voting Village Hacking area said at the end of the first day that no one had attempted to attack the SSITH. It is unclear if anyone attempted an attack during DEF CON.
DARPA and Voting Village representatives have not responded to requests for comment at the time of this post.
At this point in the SSITH program, DARPA has only developed prototypes of the low-end chip to test, but Linton said the hope was to come back to DEF CON with more prototypes in the future.
At the end of the SSITH program, DARPA hopes the prototype designs it develops using open source hardware, including RISC-V processors, and frameworks will be adopted by other manufacturers in order to help make devices more secure.
Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., said DARPA’s academic pursuit was interesting but he had doubts around SSITH’s implementation and adoption.
“This isn’t the first academic project to claim their customized hardware would block attacks. The performance overhead on hardware solutions has traditionally been pretty poor,” Williams told SearchSecurity. “As a corollary, shadow stacks were introduced [around] 2001 and still aren’t being used, despite not requiring special hardware and having a much lower performance overhead. They also completely eliminate practical buffer overflow exploitation on the stack.”
Beyond the performance questions, Williams was unsure if the market is willing to adopt a custom chip like SSITH.
“We’ve been down this road before. Nobody wants custom chips even if they’re safer. There’s no appetite for custom ‘secure’ processors in the market right now,” Williams said. “The security on the mobile side has been all about secure key storage. Anything that increases overhead simultaneously increases heat and decreases battery life, so I doubt there’s anything there.”