The FETT seeks to defeat SSITH defenses as US military goes hard on bug bounties and its Star Wars issues

DARPA seeks a few good hackers

Two years ago, the US Defense Advanced Research Project Agency introduced a hardware security program called System Security Integration Through Hardware and Firmware, or SSITH.

Having evaded a trademark challenge from Disney's lawyers, DARPA is ready to test the kit modifications coming out of that program against hackers. On Monday, the exploratory tech arm of the Defense Department said it had partnered with the DoD's Defense Digital Service and private sector vendor Synack to run the Finding Exploits to Thwart Tampering Bug Bounty, or FETT.

Students of Star Wars may recall that Boba Fett's father Jango was hired by Sith Lord Darth Tyranus; for everyone else, the US government's nod to Star Wars rather than Star Trek tells you everything you need to know about those running the federal show.

SSITH was launched to help eliminate various common vulnerabilities associated with hardware, specifically seven classes of vulnerabilities described by the Common Weakness Enumeration (CWE) scheme, like buffer errors and privilege escalation flaws.

FETT, DARPA's first ever bug bounty program, aims to test proposed mitigations through an invitation-only red team hacking exercise that promises to pay out an undisclosed amount.

"The FETT Bug Bounty is a unique take on DARPA's more traditional program evaluation efforts," said Keith Rebello, the DARPA program manager leading SSITH and FETT, in a statement.

DOor to a bank vault. Photo by Shutterstock

DARPA seeks SSITH lords to keep hardware from the Dark Side


"FETT will open SSITH's hardware security protections to a global community of ethical researchers with expertise in hardware reverse engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure."

Hackers participating in the bug hunt will be given access to emulated systems running on AWS EC2 F1 instances. These virtual systems are FPGA-based and consist of a RISC-V core that has been modified to include SSITH hardware security protections.

Applications teed up for attackers include a medical records database system, a password authentication system, and various other software programs including a web-based voter registration system.

Your job, should you be chosen and you choose to accept the invitation, will be to come up with an unanticipated way to break through the SSITH wards, developed by researchers at SRI International, the University of Cambridge, MIT, the University of Michigan, and Lockheed Martin.

That done, you're supposed to disclose your findings to the Feds for the benefit of the public. The point of the program is to improve the security of critical infrastructure and support public trust in the systems used for elections and healthcare.

In an email to The Register, a DARPA spokesperson said that while the agency is not disclosing how much it will pay, Synack has indicated bounties typically range from hundreds of dollars to tens of thousands for very severe vulnerabilities.

The FETT Bug Bounty, to be held in July, is open to members of the Synack Red Team. Those who are not members can try to earn a Technical Assessment "Fast Pass" so they can join SRT for a shot at the SSITH-fortified cloud kit, provided they meet the legal verifications steps.

Would-be participants who are not SRT members are advised to sign up for a Capture-the-Flag qualifying round that's scheduled for next week, June 15-19. ®

Keep Reading

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021