Cyberwarfare is a growing problem, with 2017 seeing some of the most devious and far-reaching attacks ever. Public "hackathons" and bounties might help plug some vulnerabilities, but for organizations like the US Department of Defense that won't be enough to protect particularly sensitive information. As part of a US$50-million DARPA program to improve cybersecurity, computer scientists at the University of Michigan are developing a security system baked right into the hardware that its creators say makes it "unhackable."
Cyberattacks hit a new level of mainstream attention back in May, when an unprecedented ransomware worm dubbed "WannaCry" infected over 300,000 computers around the globe. The malware exploited a vulnerability in older versions of the Windows operating system, encrypting files on affected devices and then demanding a ransom be paid in Bitcoin to regain access to the data.
Although the virus was swiftly stamped out within a few days, it managed to disrupt hospitals, police units, banks, and businesses around the world. Barely a month later and the world was struck down by "NotPetya," an apparently Russian virus that wiped data on infected machines.
These kinds of attacks are usually made possible by exploiting backdoors in software, and as part of its cybersecurity program DARPA has identified seven classes of hardware weaknesses that, if fixed, would close almost half of those software doors. These vulnerabilities include permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection, and DARPA aims to completely patch these up within five years.
"Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today's software attacks," says Linton Salmon, manager of DARPA's System Security Integrated Through Hardware and Firmware (SSITH) program.
Nine grants have been awarded under the SSITH program, including $3.6 million of funding towards the Michigan team's project, dubbed Morpheus. To keep hackers at bay, the scientists are designing hardware that shunts data around the computer regularly and randomly, destroying past versions as it goes.
It's not just the targeted data that shuffles around, either: the developers say any bug that could be exploited will also be a moving target, as would any passwords. That way, even if attackers manage to find their way to sensitive data once, it'll have moved again before they can properly access it.
"Typically, the location of this data never changes, so once attackers solve the puzzle of where the bug is and where to find the data, it's 'game over,'" says Todd Austin, lead researcher on the Morpheus project. "We are making the computer an unsolvable puzzle. It's like if you're solving a Rubik's Cube and every time you blink, I rearrange it."
Through this mechanism, the scientists say a working Morpheus computer would be able to defend against threats that haven't even been identified yet.
"What's incredibly exciting about the project is that it will fix tomorrow's vulnerabilities," says Austin. "I've never known any security system that could be future proof."
While the team is quick to label the Morpheus method "unhackable," we can only hope that's not tempting fate like a certain so-called unsinkable ship.
Source: University of Michigan
