DARPA Bug Bounty Program Seeks to Harden SSITH Hardware Protections

The Defense Advanced Research Projects Agency (DARPA) is running a bug bounty program in an effort to find security vulnerabilities in a new, advanced implementation of the System Security Integration Through Hardware and Firmware (SSITH) program.

DARPA launched SSITH in 2017 to help protect electronic systems from common means of exploitation by addressing the underlying hardware vulnerabilities at the source. With the new bug bounty program, DARPA is looking to harden SSITH hardware security protections in development.

Called Finding Exploits to Thwart Tampering (FETT) Bug Bounty, the program is run in collaboration with the Department of Defense’s Defense Digital Service (DDS) and crowdsourced security platform Synack.

Unlike most bug bounty programs, which focus on software evaluation, FETT is opening hardware instances for Red Teaming. Participating researchers will be provided with access to emulated systems running in the Amazon Web Services (AWS) EC2 F1 cloud.

The FPGA-based emulated systems include a RISC-V processor core that includes the SSTIH-developed hardware security protections. Exploitation of known vulnerabilities expected in the software stack on each emulated system will be prevented through the SSITH protections.

Vulnerabilities will be based on common classes of security weaknesses as identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST (such as buffer errors, information leakage, resource management, and more), and participating security researchers will need to devise exploit mechanisms to bypass SSITH protections.

As part of the FETT Bug Bounty, researchers will test the implemented SSITH defenses of electronic system application frameworks such as a medical records database system, a password authentication system for personal computers, and several other programs.

A vulnerable web-based voter registration system is also included in the bug bounty program, with the SSITH implementation looking to protect underlying voter information, to demonstrate that it could help keep critical infrastructure secure.

“The FETT Bug Bounty is a unique take on DARPA’s more traditional program evaluation efforts,” Keith Rebello, the DARPA program manager leading SSITH and FETT, said. “FETT will open SSITH’s hardware security protections to a global community of ethical researchers with expertise in hardware reserve engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure.”

All security researchers, reverse engineers, and ethical hackers looking to participate in FETT are invited to take part in a Capture-the-Flag (CTF) qualifier, where those who are not currently part of the Synack Red Team (SRT) will have the opportunity to earn a Technical Assessment ‘Fast Pass’ to join SRT — the legal verification steps are still required.

The CTF event is schedule to run between June 15 and June 29, 2020. Interested parties can register on this page. Current SRT members who meet the skills criteria will be granted access to the program throughout the life of the engagement.

Related: Tencent Partners With HackerOne for Bug Bounty Program

Related: Zoom Revamps Bug Bounty Program

Related: DARPA Wants Hardware With Built-in Security