Summary
After three months of reviewing more than 13,000 hours of hacking labor conducted by more than 580 cybersecurity researchers, DARPA announced on January 28, 2021, that its Finding Exploits to Thwart Tampering (FETT) Bug Bounty validated the security-enhancing efficacy of newly designed hardware architectures developed under the agency’s System Security Integration Through Hardware and Firmware (SSITH) program. The exercise also pinpointed critical areas to further harden defenses.
From July-October 2020, DARPA held its first ever bug bounty program – a crowdsourced, red team exercise used to evaluate and analyze a technology’s defenses. DARPA partnered with the Department of Defense’s Defense Digital Service (DDS)—a self-described SWAT team within the DoD—and Synack, a crowdsourced security platform on this effort. More than 980 SSITH processors were tested by Synack’s existing community of researchers and 10 valid vulnerabilities were discovered across all of the secure architecture implementations.
FETT leveraged Synack’s penetration-testing process to conduct the bug bounty and facilitate communications about the discovered weaknesses.
“Knowing that virtually no system is unhackable, we expected to discover bugs within the processors but FETT really showed us that the SSITH technologies are quite effective at protecting against classes of common software-based hardware exploits,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “We’re clearly developing hardware defenses that are raising the bar for attackers.”
This program is now complete.
This content is available for reference purposes. This page is no longer maintained.