Last year, DARPA conducted its first bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty – to evaluate hardware protections in development on the System Security Integration Through Hardware and firmware (SSITH) program. SSITH is exploring hardware security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software, with the goal of breaking the endless cycle of software patch-and-pray.
Through FETT, DARPA partnered with the security company Synack to give hundreds of cybersecurity researchers and reverse engineers virtual access to secure SSITH processors to detect weaknesses and vulnerabilities. Key to this effort was the development of a scalable, virtualized platform for remotely testing and evaluating the processor prototypes. Developed by Galois, the platform is a first-of-its-kind infrastructure that provides a means of virtually crowdsourcing the analysis of future processor technologies.