By turning computer circuits into unsolvable puzzles, a team of engineers at University of Michigan team aims to create unhackable computers with a $3.6 million DARPA grant.
Todd Austin, a UM professor of computer science and engineering, leads the project known as Morpheus. Its cybersecurity approach differs dramatically from today’s, which rely on software patches on vulnerabilities that have already been identified. It’s been called the “patch and pray” model, and it’s less than ideal.
“Instead of relying on software patches to hardware-based security issues, we want to remove those hardware vulnerabilities and disarm a large proportion of today’s software attacks,” says Linton Salmon, manager of DARPA’s System Security Integrated Through Hardware and Firmware program.
Under Morpheus, hardware would randomly move and destroy information to protect hardware and software.
“We are making the computer an unsolvable puzzle,” Austin says. “It’s as if you’re solving a Rubik’s Cube and every time you blink, it gets rearranged.”
In this way, it could protect against future threats that have yet to be identified, a possibility the security industry called a “zero-day exploit.”
“What’s exciting about the project is that it will fix tomorrow’s vulnerabilities,” Austin says. “I’ve never known any security system that could be future proof.”
Austin believes his approach would have protected against the Heartbleed bug discovered in 2014. Heartbleed lets hackers read passwords and other critical information on machines.
“Typically, the location of this data never changes, so once hackers solve the know where the bug is and where to find the data, it’s ‘game over,’” Austin explains.
Under Morpheus, the bug’s location and those of passwords would constantly change. And even if an attacker were quick enough to locate the data, secondary defenses in the form of encryption and domain enforcement would throw up additional roadblocks. The bug would still be there, but it wouldn’t matter. The attacker won’t have the time or the resources to exploit it.
“These protections don’t exist today because they are too expensive to implement in software, but with DARPA’s support we can take the offensive against attackers with new defenses in hardware and implement them with virtually no impact on software,” Austin says.
More than 40% of the “software doors” hackers have access to would be closed if researchers could eliminate seven classes of hardware weaknesses, according to DARPA. The hardware weakness classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. DARPA is aiming to render these attacks impossible within five years. If developed, Morpheus could do it now, according to Austin. Although the complexity required might sound expensive, Austin is confident his team could make it possible at low cost.