After conducting its first bug bounty program last year, the Defense Advanced Research Projects Agency (DARPA) announced that it is open sourcing the Finding Exploits to Thwart Tampering (FETT) Bug Bounty evaluation platform.
DARPA said its FETT Bug Bounty program “proved the value of the secure hardware architectures developed under [DARPA’s] System Security Integration Through Hardware and Firmware (SSITH) program while pinpointing critical areas to further harden defenses.”
According to DARPA, SSITH is “exploring hardware security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software, with the goal of breaking the endless cycle of software patch-and-pray.”
“We see value in making this research available to the broader [research and development] community for testing and evaluating processor designs to ensure they are robust and secure,” said Keith Rebello, the DARPA program manager leading SSITH. “Our aim is for researchers and developers to leverage the SSITH security evaluation framework to help create a common security benchmark that can be used to compare secure processor designs.”
The bug bounty program involved more than 580 cybersecurity researchers and 13,000 hours of hacking exploits. The FETT Bug Bounty was the result of a partnership between DARPA, the Department of Defense’s Defense (DoD) Digital Service, which is a SWAT-style tech team within the DoD, and Synack, a crowdsourced security platform.
Included in the open sourcing of the FETT evaluation platform is the back-end management of emulated systems like the ones used to test and evaluate the SSITH processors and the user-facing front-end components. Also available via the open source repository are the evaluation tools used for testing processor power, performance, area, and security, as well as those used for specifying and reasoning about security properties.
In addition to the FETT evaluation platform, DARPA is open sourcing the baseline reduced instruction set computer version five (RISC-V) processor designs used by the SSITH program. DARPA noted that while these designs do not include the SSITH secure architectures, they do “provide a jumping-off point for developers that are exploring novel hardware protections and are interested in a means of evaluating them in a virtual environment.”