US defense research arm asks ethical hackers to help protect its systems

The Defense Advanced Research Projects Agency (DARPA) has launched its first ever bug bounty program focused on addressing hardware vulnerabilities.

DARPA, the research arm of the US Department of Defense, is asking white hat hackers to help strengthen its technology.

The Finding Exploits to Thwart Tampering (FETT) bug bounty will help further develop hardware security protections already in development by the System Security Integration Through Hardware and Firmware (SSITH) program.

DARPA launched SSITH in 2017, an initiative that focuses on addressing security issues at the source rather than relying on patches.

“The FETT bug bounty program is asking security researchers to devise novel exploit mechanisms capable of bypassing the hardware security protections that were developed under… SSITH,” Keith Rebello, program manager for DARPA, told The Daily Swig.

“The goal is to discover potential weaknesses within the SSITH hardware defenses that could be exploited through these novel methods, and to share those uncovered weaknesses or bugs with DARPA so that they can be addressed in future iterations of the hardware security technologies.”

Synack partnership

The new DARPA bug bounty program, which is being launched in partnership with pen test and vulnerability intelligence platform Synack, will see hackers attack systems hosted in cloud-based networks.

Synack explained that hackers will be given access to emulated systems running on Amazon EC2 F1 instances, including a RISC-V processor core that contains hardware security protections developed through SSITH.

Each system will contain known vulnerabilities that hardware mitigations ought to block.

Hackers will be asked to use zero-day attacks to bypass the security protections in “a diverse set of processor variants, hardware security protection technologies, operating systems, and applications”.


Read more of the latest bug bounty news


White hats can earn up to $25,000 in the DARPA program, with targets including Covid-19 medical records and electoral voting systems – a topical issue in recent years.

“Among the vulnerable applications found in FETT is a web-based voter registration system,” said Rebello.

“Successful integration of the SSITH hardware protection technologies aims to ultimately protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system's software.

“The goal with this demonstrator, as well as the other application systems, is to show how SSITH technologies could help protect critical infrastructure, and potentially prevent the erosion of trust in things like our election process or healthcare systems.”

Synack will host a Capture the Flag session from June 15-19. Successful candidates will be invited to earn a fast pass to the FETT program.

The bug bounty program will run from July to September 2020, allowing “ample time” for researchers to test the hardware.

For more information on how to participate, visit the Synack website.


RECOMMENDED Election security: Democracy Live’s online voting system ‘open to manipulation’