In its search for hardware solutions to cyberintruders, the Defense Advanced Research Projects Agency (DARPA) awarded a $3.6 million grant to the University of Michigan. The grant funds a team of UM computer scientists and engineers who are developing Morpheus, a new approach to hardware design capable of creating an unhackable computer.
The Morpheus grant is one of several DARPA awarded in a search for hardware cybersecurity solutions in April 2017. The grant program is part of DARPA’s System Security Integrated Through Hardware and Firmware (SSITH) initiative. Despite its Star Wars-sounding name, SSITH is real, serious, and of vital importance today. Software security solutions don’t cut it anymore.
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” said Linton Salmon, SSITH program manager from DARPA’s Microsystems Technology Office.
What we need, according to Salmon, is smarter hardware. “This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”
Morpheus team leader Todd Austin claims the project will be future proof. MORPHEUS hardware design concepts center around constant data movement. Information is moved and destroyed randomly and rapidly. If a would-be cyberintruder discovers a bug or a weakness in the design, by the time the intruder designs a way to attack and take over the system the data is no longer in its original location.
“We are making the computer an unsolvable puzzle,” Austin said. “It’s like if you’re solving a Rubik’s Cube and every time you blink, I rearrange it.”
According to Austin, if hackers can’t retrieve the information required to put together an attack, the result is protection for both hardware and software.
DARPA wants protection against seven major classes of hardware weakness within five years. The classes are permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection.
According to UM’s Austin, when Morpheus is fully developed the program will be able to make those classes of attacks impossible.