Computers

DARPA backs development of "unhackable" Morpheus computer system

DARPA backs development of "un...
Trying to hack the "unhackable" Morpheus system is described as like trying to solve a Rubik's Cube that is constantly being rearranged
Trying to hack the "unhackable" Morpheus system is described as like trying to solve a Rubik's Cube that is constantly being rearranged
View 2 Images
A screenshot of a computer infected with the WannaCry ransomware
1/2
A screenshot of a computer infected with the WannaCry ransomware
Trying to hack the "unhackable" Morpheus system is described as like trying to solve a Rubik's Cube that is constantly being rearranged
2/2
Trying to hack the "unhackable" Morpheus system is described as like trying to solve a Rubik's Cube that is constantly being rearranged

Cyberwarfare is a growing problem, with 2017 seeing some of the most devious and far-reaching attacks ever. Public "hackathons" and bounties might help plug some vulnerabilities, but for organizations like the US Department of Defense that won't be enough to protect particularly sensitive information. As part of a US$50-million DARPA program to improve cybersecurity, computer scientists at the University of Michigan are developing a security system baked right into the hardware that its creators say makes it "unhackable."

Cyberattacks hit a new level of mainstream attention back in May, when an unprecedented ransomware worm dubbed "WannaCry" infected over 300,000 computers around the globe. The malware exploited a vulnerability in older versions of the Windows operating system, encrypting files on affected devices and then demanding a ransom be paid in Bitcoin to regain access to the data.

Although the virus was swiftly stamped out within a few days, it managed to disrupt hospitals, police units, banks, and businesses around the world. Barely a month later and the world was struck down by "NotPetya," an apparently Russian virus that wiped data on infected machines.

A screenshot of a computer infected with the WannaCry ransomware
A screenshot of a computer infected with the WannaCry ransomware

These kinds of attacks are usually made possible by exploiting backdoors in software, and as part of its cybersecurity program DARPA has identified seven classes of hardware weaknesses that, if fixed, would close almost half of those software doors. These vulnerabilities include permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection, and DARPA aims to completely patch these up within five years.

"Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today's software attacks," says Linton Salmon, manager of DARPA's System Security Integrated Through Hardware and Firmware (SSITH) program.

Nine grants have been awarded under the SSITH program, including $3.6 million of funding towards the Michigan team's project, dubbed Morpheus. To keep hackers at bay, the scientists are designing hardware that shunts data around the computer regularly and randomly, destroying past versions as it goes.

It's not just the targeted data that shuffles around, either: the developers say any bug that could be exploited will also be a moving target, as would any passwords. That way, even if attackers manage to find their way to sensitive data once, it'll have moved again before they can properly access it.

"Typically, the location of this data never changes, so once attackers solve the puzzle of where the bug is and where to find the data, it's 'game over,'" says Todd Austin, lead researcher on the Morpheus project. "We are making the computer an unsolvable puzzle. It's like if you're solving a Rubik's Cube and every time you blink, I rearrange it."

Through this mechanism, the scientists say a working Morpheus computer would be able to defend against threats that haven't even been identified yet.

"What's incredibly exciting about the project is that it will fix tomorrow's vulnerabilities," says Austin. "I've never known any security system that could be future proof."

While the team is quick to label the Morpheus method "unhackable," we can only hope that's not tempting fate like a certain so-called unsinkable ship.

Source: University of Michigan

8 comments
aki009
I'd expect this awesome creation of computerized excellence to likely be just as vulnerable to an inside bad actor as the current systems are...
VincentWolf
Just switch to linix and problem solved
fb36
I think the real solution is to get away from compiled native executables. That means common desktop operating systems like Windows, Linux, MacOS need to be killed or completely redesigned. For example software security in Android and IPhone is way more stronger than Windows, Linux, MacOS, because they only run bytecode using a VM, no native executables (that can run directly on the CPU, out of control of the OS).
Aussie_2017
Interesting idea, however if there is a way to login into it or securelly access the information, means that there's an "immutable path or pattern" to access it. Yes it will be harder to crack but not impossible, like always... nothing is 100% secure. Most invasions today come from acquiring accounts that already exist, or locally installed "softwares" that will pack and transfer information.
Nik
Un-Hackable? Like the Titanic was unsinkable? Only time will tell!
Glen Thompson
This looks like great progress for vertain hacks, but unhackable hardware and operating system software will obviously have to be matched by making the human-operator part of the system unhackable too. Simple approaches e.g. two-person-only access will make it harder to hack but still not impossible. This side of the problem will need just as much research.
Vernon Miles Kerr
DARPA developed the Internet to begin with, and as far as security goes, the Internet is a complete POS. I hope DARPA is able to redeem itself by sharing all this work with Internet users.
MBadgero
"The malware exploited a vulnerability in older versions of the Windows operating system, ..."
"Although the virus was swiftly stamped out within a few days, it managed to disrupt hospitals, police units, banks, and businesses around the world."
The best defense is to keep your systems updated. Government agencies are the worst at this; and many businesses see value in hiring cyber defense experts only after they are hacked.