Back to news

August 5, 2019 | Local, Security

Hacker Community to Take on DARPA Hardware Defenses at DEF CON 2019

This month, DARPA will bring a demonstration version of a secure voting ballot box equipped with hardware defenses in development on the System Security Integrated Through Hardware and Firmware (SSITH) program to the DEF CON 2019 Voting Machine Hacking Village (Voting Village). The SSITH program is developing methodologies and design tools that enable the use of hardware advances to protect systems against software exploitation of hardware vulnerabilities. To evaluate progress on the program, DARPA is incorporating the secure processors researchers are developing into a secure voting ballot box and turning the system loose for public assessment by thousands of hackers and DEF CON community members.

Many of today's hardware defenses cover very specific instances or vulnerabilities, leaving much open to attack or compromise. Instead of tackling individual instances, SSITH researchers are building defenses that address classes of vulnerabilities. In particular, SSITH is tackling seven vulnerabilities classes identified by the NIST Common Weakness Enumeration Specification (CWE), which span exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection.

“There are a whole set of cyber vulnerabilities that happen in electronic systems that are at their core due to hardware vulnerabilities – or vulnerabilities that hardware could block,” said Dr. Linton Salmon, the program manager leading SSITH. “Current efforts to provide electronic security largely rely on robust software development and integration, utilizing an endless cycle of developing and deploying patches to the software firewall without addressing the underlying hardware vulnerability. The basic concept around SSITH is to make hardware a more significant participant in cybersecurity, rather than relegating system security only to software.”

Under the SSITH program, researchers are exploring a number of different design approaches that go well beyond patching. These include using metadata tagging to detect unauthorized system access; employing formal methods to reason about integrated circuit systems and guarantee the accuracy of security characteristics; and combining hardware performance counters (HPCs) with machine learning to detect attacks and establish protective fences within the hardware. One team from the University of Michigan is developing a novel security approach that changes the unspecified semantics of a system every 50 milliseconds. Currently, attackers continuously probe a system to locate these undefined sections and, over time, are able to create a system map to identify possible hacks. By changing the construct every 50 milliseconds, attackers do not have enough time to find those weaknesses or develop an accurate representation of the system as a whole.

To evaluate the hardware security concepts in development on the SSITH program, DARPA – working with Galois – is pursuing a voting system evaluation effort to provide a demonstration system that facilitates open challenges. The program elected to use a voting system as its demonstration platform to provide researchers with an accessible application that can be evaluated in an open forum. Further, the topic of election system security has become an increasingly critical area of concern for the hacker and security community, as well as the United States more broadly.

“DARPA focuses on creating technologies to enhance national defense, and election system security falls within that remit. Eroding trust in the election process is a threat to the very fabric of our democracy,” noted Salmon.

While protecting democracy is a critical national defense issue, SSITH is not trying to solve all issues with election system security nor is it working to provide a specific solution to use during elections. “We expect the voting booth demonstrator to provide tools, concepts, and ideas that the election enterprise can use to increase security, however, our true aim is to improve security for all electronic systems. This includes election equipment, but also defense systems, commercial devices, and beyond,” said Salmon.

During DEF CON 2019, the SSITH voting system demonstrator will consist of a set of RISC-V processors that the research teams will modify to include their SSITH security features. These processors will be mounted on field programmable gate arrays (FPGAs) and incorporated into a secure ballot box. Hackers will have access to the system via an Ethernet port as well as a USB port, through which they can load software or other attacks to challenge the SSITH hardware. Since SSITH's research is still in the early stages, only two prototype versions of the 15 processors in development will be available for evaluation.

“At this year's Voting Village, hackers may find issues with the processors and quite frankly we would consider that a success. We want to be transparent about the technologies we are creating and find any problems in these venues before the technology is placed in another venue where a compromise could be more dangerous,” said Salmon.

Following DEF CON 2019, the voting system evaluation effort will go on a university roadshow where additional cybersecurity experts will have an opportunity to further analyze and hack the technology. In 2020, DARPA plans to return to DEF CON with an entire voting system, which will incorporate fixes to the issues discovered during the previous year's evaluation efforts. The 2020 demonstrator will use the STAR-Vote system architecture, which is a documented, open source architecture that includes a system of microprocessors for the voting booth, ballot box, and other components. It also includes a verifiable paper ballot, providing both digital and physical representations of the votes cast within the booth.

“While the 2020 demonstrator will provide a better representation of the full attack surface, the exercise will not result in a deployable voting system. To aid in the advancement of secure election equipment as well as electronic systems more broadly, the hardware design approaches and techniques developed during the SSITH program will be made available to the community as open-source items,” concluded Salmon.

https://www.darpa.mil/news-events/2019-08-01

On the same subject

  • BlackBerry Achieves Department of Defense Information Network (DoDIN) Approval for BlackBerry UEM

    September 1, 2020 | Local, C4ISR

    BlackBerry Achieves Department of Defense Information Network (DoDIN) Approval for BlackBerry UEM

    WATERLOO, ON, Sept. 1, 2020 /CNW/ -- BlackBerry Limited (NYSE: BB;TSX: BB) today announced that its BlackBerry® Unified Endpoint Manager (UEM) software has achieved Department of Defense Information Network (DoDIN) approval as a Mobile Device Management (MDM) solution. BlackBerry UEM is the only MDM solution on the DoDIN Approved Product List (APL). The DoDIN APL is the single consolidated list of communication and collaboration products that have completed Cybersecurity and Interoperability certification across the DoDIN. The approval was released by the Defense Information Systems Agency's (DISA) Chief Information Assurance Executive (CIAE). DISA's mission is to provide, operate and defend global command and control and information-sharing capabilities for the entire Department of Defense (DoD), national-level leaders and coalition partners. "BlackBerry is extremely proud to be a partner of the United States Federal Government for over twenty years," said John Chen, Executive Chairman & CEO, BlackBerry. "DISA is responsible for delivering world-class secure communications and collaboration tools across the DoD and BlackBerry is honored to receive approval to be on the DoDIN APL." For more information on BlackBerry certifications, including FedRAMP, NIAP and FIPS 140-2, visit BlackBerry.com/Certifications. About BlackBerry BlackBerry (NYSE: BB;TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including 175M cars on the road today. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint security management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust. BlackBerry. Intelligent Security. Everywhere. For more information, visit BlackBerry.com and follow @BlackBerry. Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services. Media Contact: BlackBerry Media Relations +1 (519) 597-7273 mediarelations@BlackBerry.com SOURCE BlackBerry Limited Related Links https://www.blackberry.com https://www.newswire.ca/news-releases/blackberry-achieves-department-of-defense-information-network-dodin-approval-for-blackberry-uem-829414516.html

  • Information Session – Interdepartmental Supply Arrangement for Small Boats / Interdepartmental In-Water Vessel Cleaning Initiative

    July 9, 2020 | Local, Naval

    Information Session – Interdepartmental Supply Arrangement for Small Boats / Interdepartmental In-Water Vessel Cleaning Initiative

    Please find attached the presentation regarding the opportunity : https://buyandsell.gc.ca/procurement-data/tender-notice/PW-MC-038-27824 Supply Arrangement (SA) Information: Background How vendors can qualify Next Steps / Informations AMA Frequently asked questions In-Water Vessel Cleaning Initiative Information Contexte Request for Information (RFI) Next Steps

  • No icebreakers in federal government’s $15.7B plan for new coast-guard ships

    June 3, 2019 | Local, Naval

    No icebreakers in federal government’s $15.7B plan for new coast-guard ships

    By Lee Berthiaume, The Canadian Press OTTAWA — The Canadian Coast Guard's recent struggles resupplying northern communities and rescuing ice-jammed ferries appear set to continue despite Prime Minister Justin Trudeau's promise to spend $15.7 billion on "a complete fleet renewal." That's because none of the 18 vessels the government announced last week that it plans to buy will be an icebreaker, meaning the coast guard will be forced to continue relying on its existing icebreaker fleet for the foreseeable future. Many of those are nearing — or have already exceeded — their expected lifespans, which has resulted in breakdowns and other problems that have affected coast-guard operations, such as resupply runs and assisting ferries in winter. Federal procurement minister Carla Qualtrough acknowledged on the sidelines of the annual Cansec arms-trade show this week "there's definitely a capability gap on icebreakers," but wouldn't say when it would be addressed. Qualtrough instead indicated that any announcement on more ships for the coast guard would likely come after the government adds a third shipyard to the two that are already partners in the federal shipbuilding plan. "There's definitely more ships coming," she said on Thursday. "It will really be dependent on how long it takes the third yard to get itself ready to build the kind of ships we need." The search is expected to start in the coming weeks, but while many observers expect Davie Shipbuilding in Quebec City to emerge victorious, a senior government official maintained a decision is unlikely before October's election. The government's planned $15.7-billion investment unveiled last week includes two Arctic patrol ships to be built by Irving Shipbuilding in Halifax and 16 so-called multipurpose vessels from Seaspan Shipbuilding in Vancouver. But those vessels are what officials describe as "ice-capable," rather than icebreakers, meaning the coast guard will need to continue to rely on its existing fleet for many of its operations. The icebreaker fleet did receive a boost on Thursday, when the Canadian Coast Guard officially welcomed the CCGS Molly Kool to its ranks after several months of conversion work at Davie. The CCGS Molly Kool is the first of three second-hand icebreakers that Davie has sold to the government, which the coast guard has said it plans to use for the next 15 to 20 years to fill any gaps until replacements are built. But while the government is spending millions to refit its current icebreakers, which are on average 35 years old, and keep them running as long as possible, the question remains when those replacements will arrive. The only new icebreaker currently in the government's multibillion-dollar shipbuilding plan is the polar-class CCGS John G. Diefenbaker, which was expected in 2017 before various delays pushed it back to the next decade. "We haven't built a coast guard-designed icebreaker since 1983. That was the last time," said Rob Huebert, an expert on the coast guard at the University of Calgary. "And anything we have bought is usually second-hand from industry." The coast guard doesn't have clout in Ottawa, Huebert said, which has translated into a lack of long-term planning or investment by successive governments — except when there are political points to be scored. And while the addition of a third yard to the federal shipbuilding plan should mean icebreakers will follow soon after, Huebert said it is all ad hoc and will simply lead to the same problems down the road. "I get incensed by the fact that we do not have any form of a long-term coast-guard renewal for icebreakers." Documents obtained by The Canadian Press warned more than a third of the coast guard's 26 large vessels, including its icebreakers, had exceeded their expected lifespans — and that many wouldn't survive until replacements arrived. The fleet's advanced age was also already affecting the coast guard's ability to do its job, including reduced search-and-rescue coverage, ferry-service disruptions and cancelled resupply runs to Arctic and coastal communities. —Follow @leeberthiaume on Twitter Lee Berthiaume, The Canadian Press https://www.nationalnewswatch.com/2019/05/31/no-icebreakers-in-federal-governments-15-6b-plan-for-new-coast-guard-ships/#.XPFqzBZKiUl

All news