Trying to hack the “unhackable” Morpheus system is described as like trying to solve a Rubik’s Cube that is constantly being rearranged
[signature-free security!! — TJACK]
Engineers have designed a computer processor that thwarts hackers by randomly changing its microarchitecture every few milliseconds. Known as Morpheus, the puzzling processor has now aced its first major tests, repelling hundreds of professional hackers in a DARPA security challenge.
In 2017, DARPA backed the University of Michigan’s Morpheus project with US$3.6 million in funding, and now the novel processor has been put to the test. Over four months in 2020, DARPA ran a bug bounty program called Finding Exploits to Thwart Tampering (FETT), pitting 525 professional security researchers against Morpheus and a range of other processors.
The goal of the program was to test new hardware-based security systems, which could protect data no matter how vulnerable the underlying software was. Morpheus was mocked up to resemble a medical database, complete with software vulnerabilities – and yet, not a single attack made it through its defenses.
There’s basically no such thing as bug-free software, and in many cases these bugs can be exploited by hackers. Software developers will usually patch them up when they find them, but that often doesn’t happen until after an attack, and hackers will just move onto the next vulnerability. The cycle continues in a never-ending arms race between hackers and developers.
More recently, computer scientists are realizing that hardware can play an important role in security. To design a piece of malware, hackers need to understand the microarchitecture of a processor, so they can figure out where to inject their malicious code. Locking down the system at the hardware level could potentially end the arms race once and for all.
That was the design philosophy behind Morpheus. Essentially, the processor starts by encrypting key information, such as the location, format and content of data. But that’s not enough on its own – a dedicated hacker could still crack that code within a few hours.
And that’s where Morpheus gets clever – the system shuffles that encryption randomly every few hundred milliseconds. That way, even if a hacker somehow manages to get a picture of the entire processor, it’ll completely change before they have a chance to act on it.
“Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink,” says Todd Austin, lead researcher on the Morpheus project. “That’s what hackers are up against with Morpheus. It makes the computer an unsolvable puzzle.”
Importantly, this difficulty doesn’t apply to programmers or users, because the card shuffling happens at a level that legitimate users of the system don’t directly interact with.
The main side effect is that apparently Morpheus runs about 10 percent slower than an otherwise equivalent system would, but that’s a pretty good trade-off for a virtually unhackable processor. Plus, the team says that further refinement could speed the system up.
With its tough shell now proven, the Morpheus team says that the next steps for the project are to adapt the technology to use it to try to protect data in the cloud.
DARPA backs development of “unhackable” Morpheus computer system
#Cyberwarfare is a growing problem, with 2017 seeing some of the most devious and far-reaching attacks ever. Public “hackathons” and bounties might help plug some vulnerabilities, but for organizations like the US Department of Defense that won’t be enough to protect particularly sensitive information. As part of a US$50-million DARPA program to improve cybersecurity, computer scientists at the University of Michigan are developing a security system baked right into the hardware that its creators say makes it “unhackable.”
Cyberattacks hit a new level of mainstream attention back in May 2017, when an unprecedented ransomware worm dubbed “WannaCry” infected over 300,000 computers around the globe. The malware exploited a vulnerability in older versions of the Windows operating system, encrypting files on affected devices and then demanding a ransom be paid in Bitcoin to regain access to the data.
Although the virus was swiftly stamped out within a few days, it managed to disrupt hospitals, police units, banks, and businesses around the world. Barely a month later and the world was struck down by “NotPetya,” an apparently Russian virus that wiped data on infected machines.
These kinds of attacks are usually made possible by exploiting backdoors in software, and as part of its cybersecurity program DARPA has identified seven classes of hardware weaknesses that, if fixed, would close almost half of those software doors.
These vulnerabilities include permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection, and DARPA aims to completely patch these up within five years.
“Instead of relying on software Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today’s software attacks,” says Linton Salmon, manager of DARPA’s System Security Integrated Through Hardware and Firmware (SSITH) program.
Nine grants have been awarded under the SSITH program, including $3.6 million of funding towards the Michigan team’s project, dubbed Morpheus. To keep hackers at bay, the scientists are designing hardware that shunts data around the computer regularly and randomly, destroying past versions as it goes.
It’s not just the targeted data that shuffles around, either: the developers say any bug that could be exploited will also be a moving target, as would any passwords. That way, even if attackers manage to find their way to sensitive data once, it’ll have moved again before they can properly access it.
“Typically, the location of this data never changes, so once attackers solve the puzzle of where the bug is and where to find the data, it’s ‘game over,'” says Todd Austin, lead researcher on the Morpheus project. “We are making the computer an unsolvable puzzle. It’s like if you’re solving a Rubik’s Cube and every time you blink, I rearrange it.”
Through this mechanism, the scientists say a working Morpheus computer would be able to defend against threats that haven’t even been identified yet.
“What’s incredibly exciting about the project is that it will fix tomorrow’s vulnerabilities,” says Austin. “I’ve never known any security system that could be future proof.”
While the team is quick to label the Morpheus method “unhackable,” we can only hope that’s not tempting fate like a certain so-called unsinkable ship.
Source: University of Michigan