Red-C: Reclaiming Bus-based Systems During Compromise

In an imperfect world, the prospect of having a computer, or any bus-based system, that can defend itself from cyber-attacks and recover from one is not just a pipe dream. 

DARPA experts say this capability can become a reality by addressing missing forensic data on the bus – a communication system that transfers data between components – and leveraging advancements in Zero Trust. 

Many critical systems (e.g., Defense Department vehicles with engine control and power steering modules, and personal computers with memory controllers, graphic processing units, disk controllers, etc.) are bus-based systems of systems with implicitly trusted modular components. Simply detecting and alerting of a cyber-attack – as most antivirus software works today – does not sufficiently protect the computer system. 

Instead, DARPA wants to develop algorithms that construct self-healing systems. Through the Reclaiming Bus-based Systems During Compromise (Red-C) program, the agency will explore retrofitting firmware to add forensic sensing, which refers to the ability to collect and analyze data for investigative purposes, so the various components can monitor each other like a neighborhood watch. The sensing and monitoring for infection would enable on-system detection, repair, and inoculation. 

Current threat detection mainly occurs off-system and that monitoring only transactional bus traffic limits the kind of threats one can find. Red-C’s goal is to produce a collective effect that imposes a cost to the attacker, penalizing the use of an attack, as trying or using the door ensures it is locked next time 

Recently, DARPA performers instrumented components on a seedling effort, creating a dataset that detected 99% ransomware. Moreover, the data production for that dataset only added 6% additional component computational overhead. Combining the seedling results with prior on-system recovery, such as ransomware remediation of solid-state drives that showed recovery of files for three days, is an indication of the impact the Red-C program will explore. 

Red-C will focus on Peripheral Component Interconnect Express (PCIe) and Compute Express Link (CXL), high-speed interface standards that serve as the backbone for attaching peripherals such as graphics cards, solid-state drives (SSDs), network cards, and other devices that require fast data transfer and low latency. The program will result in a prototype with PCIe/CXL bus architectures that shows it’s possible to detect and recover from attacks in near real-time with negligible impact on the available resources of the components and the bus’s bandwidth. 

Red-C will also foster a symbiotic community of component developers and algorithm researchers by accurately documenting current algorithmic development in firmware and the remaining open problems.