MORPHEUS, a computer chip developed by computer science researchers at the University of Michigan in Ann Arbor, has defeated more than 500 hackers invited by the school to find its vulnerabilities.
The chip weathered a three-month virtual program the Defense Advanced Research Projects Agency (DARPA) dubbed the Finding Exploits to Thwart Tampering (FETT) Bug Bounty without a single successful attack. Bug bounty programs by organizations or software developers offer compensation or other incentives to individuals who can find and report bugs or vulnerabilities in their systems.
More than 500 cybersecurity researchers were offered tens of thousands of dollars to analyze and break into MORPHEUS and three other secure processor technologies.
DARPA partnered with the Department of Defense’s Defense Digital Service and Synack, a crowdsourced security platform, to conduct FETT, which ran from June through August 2020. It also tested technologies from MIT, Cambridge University, Lockheed Martin, and nonprofit tech institute SRI International.
The U-M team achieved its results by abandoning a cornerstone of traditional computer security — finding and eliminating software bugs, says team leader Todd Austin, a U-M professor of computer science and engineering. MORPHEUS works by reconfiguring key bits of its code and data dozens of times per second, turning any vulnerabilities into dead ends for hackers.
“Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink,” Austin says. “That’s what hackers are up against with MORPHEUS. It makes the computer an unsolvable puzzle.”
MORPHEUS has previously proven itself in the lab, but the FETT Bug Bounty marks the first time that it was exposed to a group of skilled cybersecurity researchers from around the globe. Austin says its success is further proof that computer security needs to move away from its traditional bugs-and-patches paradigm.
“Today’s approach of eliminating security bugs one by one is a losing game,” he says. “Developers are constantly writing code, and as long as there is new code, there will be new bugs and security vulnerabilities. With MORPHEUS, even if a hacker finds a bug, the information needed to exploit it vanishes within milliseconds. It’s perhaps the closest thing to a future-proof secure system.”
For FETT, the MORPHEUS architecture was built into a computer system that housed a mock medical database. Computer experts were invited to try to breach it remotely. MORPHEUS was the second-most popular target of the seven processors evaluated.
Even though it presents a fortress to attackers, Austin says MORPHEUS is transparent to software developers and end users. This is because it focuses on randomizing bits of data known as “undefined semantics,” which are nooks and crannies of the computing architecture — the location, format, and content of program code. They’re part of a processor’s most basic machinery, and legitimate programmers don’t generally interact with them. But hackers can reverse-engineer them to uncover vulnerabilities.
The MORPHEUS chip protects undefined semantics through what Austin calls “encryption and churn.” Encryption randomizes the important undefined semantics that hackers need to launch a successful attack, while churn re-randomizes them while the system is running. This puts attackers in a race against the clock to discover the information that they need. Austin says that the churn rate is normally kept low to keep system performance high. But when a would-be hacker exercises an undefined semantic in an attempted attack, the churn rate spikes, stopping attackers in their tracks.
MORPHEUS participated in the FETT Bug Bounty as part of DARPA’s System Security Integration Through Hardware and Firmware program, designed to develop technologies that protect electronic systems against common classes of hardware vulnerabilities exploited through software. While its participation in that program has ended, MORPHEUS is continuing to advance through Agita Labs, a U-M spinoff company founded by Austin and Valeria Bertacco, a U-M professor of computer science and engineering.
“I’m excited to see how MORPHEUS evolves now that it has proven itself in FETT and as security becomes a more and more pressing challenge in the tech world,” Austin says. “We are adapting the technology to protect the most sensitive data in the cloud, including medical and genomic data, biometrics, and financial credentials.”
For more information on the MORPHEUS program, visit here.