Breadcrumb

  1. Home
  2. News
  3. DARPA Open Sources FETT Bug Bounty Hardware Evaluation Platform, Tools

DARPA Open Sources FETT Bug Bounty Hardware Evaluation Platform, Tools

 

DARPA seeks to enable continued exploration, evaluation of secure hardware architectures developed by broader R&D community

Jun 30, 2021

Last year, DARPA conducted its first bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty – to evaluate hardware protections in development on the System Security Integration Through Hardware and firmware (SSITH) program. SSITH is exploring hardware security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software, with the goal of breaking the endless cycle of software patch-and-pray.

Through FETT, DARPA partnered with the security company Synack to give hundreds of cybersecurity researchers and reverse engineers virtual access to secure SSITH processors to detect weaknesses and vulnerabilities. Key to this effort was the development of a scalable, virtualized platform for remotely testing and evaluating the processor prototypes. Developed by Galois, the platform is a first-of-its-kind infrastructure that provides a means of virtually crowdsourcing the analysis of future processor technologies.

To aid researchers developing novel processor prototypes, DARPA is open sourcing the FETT evaluation platform, including the back-end management of emulated systems like the ones used to test and evaluate the SSITH processors and the user-facing front-end components. It is also making the evaluation tools used for testing processor power, performance, area, and security, as well as those used for specifying and reasoning about security properties, available via the open source repository.

“We see value in making this research available to the broader R&D community for testing and evaluating processor designs to ensure they are robust and secure,” said Keith Rebello, the DARPA program manager leading SSITH. “Our aim is for researchers and developers to leverage the SSITH security evaluation framework to help create a common security benchmark that can be used to compare secure processor designs."

In addition to the FETT evaluation platform, DARPA is open sourcing the baseline RISC-V processor designs used by the SSITH program. These designs do not include the SSITH secure architectures, but provide a jumping-off point for developers that are exploring novel hardware protections and are interested in a means of evaluating them in a virtual environment. The open source repository also contains the tools for instantiating and interacting with the baseline processors on FPGA development boards as well as the Amazon AWS F1 cloud.

"We found significant utility in being able to easily transfer processor designs between benchtop development boards – allowing processors to interact with physical interfaces and externally controlled systems – and cloud-based emulation environments, enabling distributed development and the ability to emulate large numbers of processors simultaneously,” said Rebello. “Through this open-sourcing effort, we hope to afford the same flexibility to those developing new processors.” To help bring realism to FETT, researchers also developed demonstration platforms that emulate actual electronic systems where SSITH processors could enable critical protections for sensitive data or personally identifiable information (PII). Outside of FETT, DARPA has developed a cyber-physical automotive demonstrator that emulates various electronic control systems found commonly in most cars, such as the entertainment system, steering column, and brakes. The demonstrator versions of these systems are simplified, but still provide realistic platforms to work from. To enable future evaluation efforts while also encouraging continued advancement of the demo systems, DARPA has also open sourced these tools.

The FETT platform, tools, demonstrators, and supporting assets are available via GitHub, https://github.com/GaloisInc/BESSPIN.

 

# # #

 

Media with inquiries should contact DARPA Public Affairs at outreach@darpa.mil

 

Associated images posted on www.darpa.mil and video posted at www.youtube.com/darpatv may be reused according to the terms of the DARPA User Agreement, available here: http://go.usa.gov/cuTXR.

 

Tweet @darpa

 

Contact