This article is more than 1 year old

The FETT seeks to defeat SSITH defenses as US military goes hard on bug bounties and its Star Wars issues

DARPA seeks a few good hackers

Two years ago, the US Defense Advanced Research Project Agency introduced a hardware security program called System Security Integration Through Hardware and Firmware, or SSITH.

Having evaded a trademark challenge from Disney's lawyers, DARPA is ready to test the kit modifications coming out of that program against hackers. On Monday, the exploratory tech arm of the Defense Department said it had partnered with the DoD's Defense Digital Service and private sector vendor Synack to run the Finding Exploits to Thwart Tampering Bug Bounty, or FETT.

Students of Star Wars may recall that Boba Fett's father Jango was hired by Sith Lord Darth Tyranus; for everyone else, the US government's nod to Star Wars rather than Star Trek tells you everything you need to know about those running the federal show.

SSITH was launched to help eliminate various common vulnerabilities associated with hardware, specifically seven classes of vulnerabilities described by the Common Weakness Enumeration (CWE) scheme, like buffer errors and privilege escalation flaws.

FETT, DARPA's first ever bug bounty program, aims to test proposed mitigations through an invitation-only red team hacking exercise that promises to pay out an undisclosed amount.

"The FETT Bug Bounty is a unique take on DARPA's more traditional program evaluation efforts," said Keith Rebello, the DARPA program manager leading SSITH and FETT, in a statement.

DOor to a bank vault. Photo by Shutterstock

DARPA seeks SSITH lords to keep hardware from the Dark Side


"FETT will open SSITH's hardware security protections to a global community of ethical researchers with expertise in hardware reverse engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure."

Hackers participating in the bug hunt will be given access to emulated systems running on AWS EC2 F1 instances. These virtual systems are FPGA-based and consist of a RISC-V core that has been modified to include SSITH hardware security protections.

Applications teed up for attackers include a medical records database system, a password authentication system, and various other software programs including a web-based voter registration system.

Your job, should you be chosen and you choose to accept the invitation, will be to come up with an unanticipated way to break through the SSITH wards, developed by researchers at SRI International, the University of Cambridge, MIT, the University of Michigan, and Lockheed Martin.

That done, you're supposed to disclose your findings to the Feds for the benefit of the public. The point of the program is to improve the security of critical infrastructure and support public trust in the systems used for elections and healthcare.

In an email to The Register, a DARPA spokesperson said that while the agency is not disclosing how much it will pay, Synack has indicated bounties typically range from hundreds of dollars to tens of thousands for very severe vulnerabilities.

The FETT Bug Bounty, to be held in July, is open to members of the Synack Red Team. Those who are not members can try to earn a Technical Assessment "Fast Pass" so they can join SRT for a shot at the SSITH-fortified cloud kit, provided they meet the legal verifications steps.

Would-be participants who are not SRT members are advised to sign up for a Capture-the-Flag qualifying round that's scheduled for next week, June 15-19. ®

More about


Send us news

Other stories you might like