Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/8/2020
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DARPA Launches Bug Bounty Program

Unlike most crowdsourced vulnerability-hunting projects, this one is targeted at hardware defenses.

The Defense Advanced Research Projects Agency (DARPA) wants white hat hackers to try and find weaknesses in new hardware-level security mechanisms that it has developed over the past few years to protect systems from cyberattacks.

Between July and September this year DARPA, along with crowdsourced security management firm Synack, will host a bug bounty program where researchers from around the world will have an opportunity to take a crack at technologies developed under DARPA's System Security Integration Through Hardware and Firmware (SSITH) effort.

Individuals who qualify for the bug bounty program will be given access to emulated systems running on Amazon's cloud infrastructure. Each emulated system will include SSITH hardware-security controls and run software stacks with known vulnerabilities. Bug hunters who are able to exploit these software vulnerabilities by bypassing DARPA's hardware security mechanisms will be eligible for bounties ranging from thousands- to tends of thousands of dollars.

"SSITH hardware defenses are focused on tackling seven vulnerabilities classes identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST," says Keith Rebello, program manager, DARPA Microsystems Technology Office (MTO). The vulnerabilities include those that enable exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection.

"We're asking ethical hackers and analysts to disclose weaknesses in the hardware defenses that could lead to exploitation via one of these vulnerability classes," he says.

DARPA launched the SSITH program in 2017 as part of an effort to make it harder for cybercriminals to exploit hardware vulnerabilities through software. The goal is to develop ideas and tools that system-on-chip designers could use to safeguard hardware against all known classes of hardware vulnerabilities, Rebello says.

Organizations that are involved in DARPA's SSITH program include SRI International and the University of Cambridge, the Massachusetts Institute of Technology (MIT), University of Michigan, and Lockheed Martin.

"Under the SSITH program, researchers are exploring a number of different design approaches that go well beyond patching," Rebello says. Some examples include using metadata tagging to detect unauthorized system access and formal methods to guarantee the security characteristics of integrated circuit systems, as well as encryption and secure enclaves for data protection.

To participate in DARPA's Finding Exploits to Thwart Tampering (FETT) Bug Bounty program, security researchers, reverse engineers, and others will first need to get through a Capture the Flag qualifier. Security researchers who are currently not part of Synack's Red Team will need to pass a technical assessment as well.

Reverse-Engineering Skills

Individuals that are selected to participate in the bounty–hunting program will need to have a good understanding of computer architecture and the software stacks that run on them, in addition to the requisite hacking and security skills, Rebelllo says.

"This is a much more hardware-focused activity than most bug bounties," he says. "We are asking FETT participants to hack hardware defenses by using software-based exploits, and expect their expertise to be aligned accordingly."

Researchers will need to understand how SSITH defenses work at the hardware level in order to be able to devise ways around then, he says.

Mark Kuhr, CTO and co-founder of Synack, says the hardware-focused nature of the FETT program is not the only thing that makes it different from typical bug bounties. FETT is not about finding software vulnerabilities but about validating the design of a system that DARPA has built to prevent attacks that take advantage of hardware weaknesses. 

Program participants will likely include hardware and software engineers and those skilled at reverse-engineering, evasion, and writing customized exploit code for various architectures. "It requires a different set of skills, for sure," Kuhr says.

Crowdsourced bug-hunting programs have become a popular way for organizations to find and address security threats in their applications and software. Last year for example, freelance bug-hunters helped the US Air Force identify 54 vulnerabilities in one of its computing environments during a six-week long bug-hunting project. The Air Force ended up paying a relatively small $123,000 in bounties to the researchers who reported the flaws.

Organizations like Synack, HackerOne, and Bugcrowd, which manage bug bounty projects, have reported growing interest in their programs from private and public sector organizations. Investors also have been pouring money into firms managing crowdsourced penetration testing programs. Synack, for instance, has raised more than $111 million from investors so far—including $52 million in its last financing round in May.

Many of these crowdsourced security firms have thousands of freelance hackers from around the world on their roster and have paid out tens of millions of dollars in bug bounties to researchers over the past few years. In fact, HackerOne last month announced that hackers working for it have so far earned over $100 million in total as bounties for finding vulnerabilities in applications and systems belonging to HackerOne's customers.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...