Tag Archive for: hackers
Hackers foiled by ‘shape-shifting’ processor
/in Computer Security
We have developed and tested a secure new computer processor that thwarts hackers by randomly changing its underlying structure, thus making it virtually impossible to hack.
Last summer, 525 security researchers spent three months trying to hack our Morpheus processor as well as others. All attempts against Morpheus failed. This study was part of a program sponsored by the U.S. Defense Advanced Research Program Agency to design a secure processor that could protect vulnerable software. DARPA released the results on the program to the public for the first time in January 2021.
A processor is the piece of computer hardware that runs software programs. Since a processor underlies all software systems, a secure processor has the potential to protect any software running on it from attack. Our team at the University of Michigan first developed Morpheus, a secure processor that thwarts attacks by turning the computer into a puzzle, in 2019.
A processor has an architecture – x86 for most laptops and ARM for most phones – which is the set of instructions software needs to run on the processor. Processors also have a microarchitecture, or the “guts” that enable the execution of the instruction set, the speed of this execution and how much power it consumes.
Hackers need to be intimately familiar with the details of the microarchitecture to graft their malicious code, or malware, onto vulnerable systems. To stop attacks, Morpheus randomizes these implementation details to turn the system into a puzzle that hackers must solve before conducting security exploits. From one Morpheus machine to another, details like the commands the processor executes or the format of program data change in random ways. Because this happens at the microarchitecture level, software running on the processor is unaffected.
A skilled hacker could reverse-engineer a Morpheus machine in as little as a few hours, if given the chance. To counter this, Morpheus also changes the microarchitecture every few hundred…
Super-Secure Processor Thwarts Hackers by Turning a Computer Into a Puzzle
/in Computer Security
We have developed and tested a secure new computer processor that thwarts hackers by randomly changing its underlying structure, thus making it virtually impossible to hack.
Last summer, 525 security researchers spent three months trying to hack our Morpheus processor as well as others. All attempts against Morpheus failed.
This study was part of a program sponsored by the U.S. Defense Advanced Research Program Agency to design a secure processor that could protect vulnerable software. DARPA released the results on the program to the public for the first time in January 2021.
A processor is the piece of computer hardware that runs software programs. Since a processor underlies all software systems, a secure processor has the potential to protect any software running on it from attack.
Our team at the University of Michigan first developed Morpheus, a secure processor that thwarts attacks by turning the computer into a puzzle, in 2019.
A processor has an architecture – x86 for most laptops and ARM for most phones – which is the set of instructions software needs to run on the processor.
Processors also have a microarchitecture, or the “guts” that enable the execution of the instruction set, the speed of this execution, and how much power it consumes.
Hackers need to be intimately familiar with the details of the microarchitecture to graft their malicious code, or malware, onto vulnerable systems.
To stop attacks, Morpheus randomizes these implementation details to turn the system into a puzzle that hackers must solve before conducting security exploits.
From one Morpheus machine to another, details like the commands the processor executes or the format of program data change in random ways. Because this happens at the microarchitecture level, software running on the processor is unaffected.
A skilled hacker could reverse-engineer a Morpheus machine in as little as a few hours, if given the chance. To counter this, Morpheus also changes the microarchitecture every few hundred milliseconds.
Thus, not only do attackers have to reverse-engineer the microachitecture, but they have to do it very fast.
With Morpheus, a hacker is confronted with a computer that has never been seen before…
Skilled hackers with good intentions
/in Computer Security
In the 1983 movie “WarGames,” a young American hacker nearly ends the Cold War by ending the world. That plot resulted in a hit movie that filled the seats, back when people exclusively went to theaters for such excitement.
Kris Johnson, director of the Defense Department’s Vulnerability Disclosure Program (VDP) in the DoD Cyber Crime Center, likes a different kind of hacker-centric plot, although it won’t sell many tickets.
“I totally went and I found vulnerabilities and we secured the system and nothing happened. I don’t know if they’re going to get a Michael Bay explosion movie out of it,” said Johnson on Federal Monthly Insights – Hacker-Powered Security.
Over the years, the DoD has been at the vanguard of ethical hacking and bug bounty programs, where the good guys find cybersecurity flaws in their systems and let them know. Those keyboard cowboys have many monikers: ethical hackers, white-hat hackers or security researchers.
“I think that there’s a lot of movement, certainly in what OMB refers to as coordinated vulnerability disclosure, that’s the overall umbrella that covers both your bug bounties and your vulnerability disclosure programs or VDPs,” said Johnson on Federal Drive with Tom Temin. “The big difference is that the bug bounties, pay money, while the VDPs pay reputation points.”
Those participating in the VDPs are trying to build “street cred,” Johnson said. The white-hat hackers can build their resumes to impress those who will perhaps, someday, pay them money for their skills.
“Until recently, the policy for VDP, which is how we provide legal safe harbor for the security researchers or ethical hackers, that policy has always been public-facing DoD websites,” Johnson said. “It’s a partnership and we provide that legal safe harbor against the Computer Fraud and Abuse Act, so that they can operate with the understanding that no one’s going to come kick down their door and come after them for either civil or criminal litigation.”
The rules of engagement for the hacker are fairly simple, Johnson said. And in the last five years, there has not…