Back to news

August 5, 2019 | Local, Security

Hacker Community to Take on DARPA Hardware Defenses at DEF CON 2019

This month, DARPA will bring a demonstration version of a secure voting ballot box equipped with hardware defenses in development on the System Security Integrated Through Hardware and Firmware (SSITH) program to the DEF CON 2019 Voting Machine Hacking Village (Voting Village). The SSITH program is developing methodologies and design tools that enable the use of hardware advances to protect systems against software exploitation of hardware vulnerabilities. To evaluate progress on the program, DARPA is incorporating the secure processors researchers are developing into a secure voting ballot box and turning the system loose for public assessment by thousands of hackers and DEF CON community members.

Many of today's hardware defenses cover very specific instances or vulnerabilities, leaving much open to attack or compromise. Instead of tackling individual instances, SSITH researchers are building defenses that address classes of vulnerabilities. In particular, SSITH is tackling seven vulnerabilities classes identified by the NIST Common Weakness Enumeration Specification (CWE), which span exploitation of permissions and privilege in the system architectures, memory errors, information leakage, and code injection.

“There are a whole set of cyber vulnerabilities that happen in electronic systems that are at their core due to hardware vulnerabilities – or vulnerabilities that hardware could block,” said Dr. Linton Salmon, the program manager leading SSITH. “Current efforts to provide electronic security largely rely on robust software development and integration, utilizing an endless cycle of developing and deploying patches to the software firewall without addressing the underlying hardware vulnerability. The basic concept around SSITH is to make hardware a more significant participant in cybersecurity, rather than relegating system security only to software.”

Under the SSITH program, researchers are exploring a number of different design approaches that go well beyond patching. These include using metadata tagging to detect unauthorized system access; employing formal methods to reason about integrated circuit systems and guarantee the accuracy of security characteristics; and combining hardware performance counters (HPCs) with machine learning to detect attacks and establish protective fences within the hardware. One team from the University of Michigan is developing a novel security approach that changes the unspecified semantics of a system every 50 milliseconds. Currently, attackers continuously probe a system to locate these undefined sections and, over time, are able to create a system map to identify possible hacks. By changing the construct every 50 milliseconds, attackers do not have enough time to find those weaknesses or develop an accurate representation of the system as a whole.

To evaluate the hardware security concepts in development on the SSITH program, DARPA – working with Galois – is pursuing a voting system evaluation effort to provide a demonstration system that facilitates open challenges. The program elected to use a voting system as its demonstration platform to provide researchers with an accessible application that can be evaluated in an open forum. Further, the topic of election system security has become an increasingly critical area of concern for the hacker and security community, as well as the United States more broadly.

“DARPA focuses on creating technologies to enhance national defense, and election system security falls within that remit. Eroding trust in the election process is a threat to the very fabric of our democracy,” noted Salmon.

While protecting democracy is a critical national defense issue, SSITH is not trying to solve all issues with election system security nor is it working to provide a specific solution to use during elections. “We expect the voting booth demonstrator to provide tools, concepts, and ideas that the election enterprise can use to increase security, however, our true aim is to improve security for all electronic systems. This includes election equipment, but also defense systems, commercial devices, and beyond,” said Salmon.

During DEF CON 2019, the SSITH voting system demonstrator will consist of a set of RISC-V processors that the research teams will modify to include their SSITH security features. These processors will be mounted on field programmable gate arrays (FPGAs) and incorporated into a secure ballot box. Hackers will have access to the system via an Ethernet port as well as a USB port, through which they can load software or other attacks to challenge the SSITH hardware. Since SSITH's research is still in the early stages, only two prototype versions of the 15 processors in development will be available for evaluation.

“At this year's Voting Village, hackers may find issues with the processors and quite frankly we would consider that a success. We want to be transparent about the technologies we are creating and find any problems in these venues before the technology is placed in another venue where a compromise could be more dangerous,” said Salmon.

Following DEF CON 2019, the voting system evaluation effort will go on a university roadshow where additional cybersecurity experts will have an opportunity to further analyze and hack the technology. In 2020, DARPA plans to return to DEF CON with an entire voting system, which will incorporate fixes to the issues discovered during the previous year's evaluation efforts. The 2020 demonstrator will use the STAR-Vote system architecture, which is a documented, open source architecture that includes a system of microprocessors for the voting booth, ballot box, and other components. It also includes a verifiable paper ballot, providing both digital and physical representations of the votes cast within the booth.

“While the 2020 demonstrator will provide a better representation of the full attack surface, the exercise will not result in a deployable voting system. To aid in the advancement of secure election equipment as well as electronic systems more broadly, the hardware design approaches and techniques developed during the SSITH program will be made available to the community as open-source items,” concluded Salmon.

https://www.darpa.mil/news-events/2019-08-01

On the same subject

  • French and Italian governments endorse long-shot bid for 15 new ships for Canada's navy

    December 8, 2017 | Local, Naval

    French and Italian governments endorse long-shot bid for 15 new ships for Canada's navy

    DANIEL LEBLANC OTTAWA PUBLISHED DECEMBER 8, 2017UPDATED 3 DAYS AGO The French and Italian governments are officially backing an unsolicited proposal to supply 15 military vessels to the Royal Canadian Navy outside of the ongoing competition for the $60-billion contract, documents show. The French and Italian ministers of defence submitted a letter last month to their Canadian counterpart, Harjit Sajjan, stating that they "fully support" the joint bid by Naval Group and Fincantieri to replace the RCN's existing frigates and retired destroyers. The support from the French and Italian governments could give additional weight to the long-shot proposal, which aims to bypass the official procurement process for new Canadian Surface Combatants. "Under the umbrella of an intergovernmental agreement, we will provide project management support so that the Royal Canadian Navy can operate the purchased warships, sustain their operational capabilities and manage their evolving capabilities throughout their entire lifecycle," said the letter from French Defence Minister Florence Parly and Italian Defence Minister Roberta Pinotti. The submission from Naval and Fincantieri has shaken up the process put in place by the federal government to acquire 15 new vessels. Halifax-based Irving Shipbuilding Inc. is the government's prime contractor, with a competition under way to select a warship design. Defence-industry sources said the leading contender in the process is a joint bid by U.S.-based Lockheed Martin and British-based BAE Systems. The same sources said only three of the 12 prequalified bidders submitted a formal proposal by the Nov. 30 deadline, a number the federal government will not confirm. Under Canada's defence policy unveiled earlier this year, the federal government is planning to get its first Canadian Surface Combatant in 2026, with the entire project costing between $56-billion and $60-billion. Under the Franco-Italian proposal, the 15 vessels would also be built at the Irving shipyard. Based on production costs in Europe, the two companies said they could provide the vessels to the Canadian government for $20.9-billion (€13.8-billion), with construction starting in late 2019. The bid from Naval and Fincantieri was unsolicited, essentially relying on the possibility that none of the bidders under the existing process will be deemed compliant. The defence-industry sources described the offer as a "Hail Mary" that could succeed if the ongoing process unravels, like many previous military procurements. "Everything depends with what happens with the process that is under way right now," said David Perry, senior analyst at the Canadian Global Affairs Institute. "If they can get two compliant bids or ideally all three ... I wouldn't see a need to go back and do a comparison with the [Naval/Fincantieri] bid." The federal government said this week that it will not even analyze the unsolicited bid. "To be clear, any proposals submitted outside of the established competitive process will not be considered," Public Services and Procurement Canada (PSPC) said in a statement. "The submission of an unsolicited proposal at the final hour undermines the fair and competitive nature of this procurement suggesting a sole-source contracting arrangement. Acceptance of such a proposal would break faith with the bidders who invested time and effort to participate in the competitive process, put at risk the government's ability to properly equip the Royal Canadian Navy and would establish a harmful precedent for future competitive procurements," the statement said. In addition, the government rejected the notion that the Franco-Italian bid could generate significant savings, stating that the acquisition of the ships accounts for only about half of the price tag. "It is important to note that a warship project budget must cover more than just delivering the ships. It must also include the costs associated with design and definition work, infrastructure, spare parts, training, ammunition, contingencies and project management," PSPC said. The Naval/Fincantieri proposal is based on the European multimission frigate program, under which the two firms are supplying 18 ships to the French and Italian navies. The two companies said their "off-the-shelf solution" is less risky than other projects still in development. https://www.theglobeandmail.com/news/politics/french-and-italian-governments-endorse-long-shot-bid-for-15-new-military-ships/article37275099/ CSC

  • Opportunités IMP aerospace

    December 9, 2021 | Local, Aerospace

    Opportunités IMP aerospace

    Bonjour, Ceci a pour but de vous informer qu'IMP Aerospace & Defense invite les fournisseurs intéressés à se faire connaitre en remplissant un formulaire d'information appelé IMP Vendor Connect. Veuillez utiliser le lien suivant : https://www.impaerospaceanddefence.com/vc/ Le fait d'avoir vos informations aidera IMP à se préparer à répondre aux nombreuses opportunités d'approvisionnement à venir pour la Défense canadienne où une chaîne d'approvisionnement canadienne diversifiée et sera un facteur de différenciation important. Merci pour votre temps et si des opportunités de chaîne d'approvisionnement se présentent qui correspondent aux capacités de votre entreprise, vous serez contacté directement par un représentant IMP. Salutations, Hello, This is to notify you that IMP Aerospace & Defence has launched a supplier input form for interested vendors called IMP Vendor Connect and they would like to invite you to fill in your company's information. Please use the following link: https://www.impaerospaceanddefence.com/vc/ Having your information on file will assist IMP in preparing to respond to numerous upcoming Canadian Defence procurement opportunities where a diverse Canadian supply chain will be an important differentiating factor. Thank you for your time and if any supply chain opportunities arise that fit your company's capabilities you will be contacted directly by an IMP representative. Regards,

  • RCAF's first C-295 search and rescue aircraft arrives in Canada

    September 21, 2020 | Local, Aerospace

    RCAF's first C-295 search and rescue aircraft arrives in Canada

    David Pugliese The first of the new fixed wing search and rescue aircraft that will be used by the RCAF for operations has arrived in Canada. The aircraft landed in Newfoundland and is now making its way to Canadian Forces Base Comox, BC. “With the arrival of this aircraft in Canada, several key activities at CFB Comox will begin to support the transition of the Canadian fixed-wing search and rescue responsibility to the CC-295,” the RCAF noted in a statement to this newspaper. “This includes the start of aircrew training, operational testing, and the opening of the new training facility in Comox, B.C.” Each aircraft must complete initial operational capability preparations and testing to be ready for service. That also includes training so crews can operate and maintain the new planes. The aircraft won't be used for search and rescue operations until sometime in 2022, according to the RCAF. Briggs Aero sent out a photo on Twitter of the new aircraft arriving in Newfoundland on Wednesday. Airbus expects all of the 16 aircraft ordered by Canada to be delivered by the fall of 2022. A C-295 aircraft, destined for the RCAF as a trainer for maintenance crews, arrived at CFB Comox in February. Although almost identical to a C-295, that aircraft does not have nor need the full mission equipment capability to conduct search and rescue missions, Esprit de Corps military magazine has reported. It is not one of the 16 C-295 aircraft being procured under the fixed wing search and rescue project. Instead, it is considered an additional asset that is part of the training solution. “It will be used to train maintenance technicians on rigging, removal and reinstallation procedures,” explained National Defence spokesman Dan Le Bouthillier. “Therefore, not all components need to be operationally functional and can instead be less expensive replicas.” It will be registered as a training asset, not an aircraft. https://ottawacitizen.com/news/national/defence-watch/rcafs-first-c-295-search-and-rescue-aircraft-arrives-in-canada

All news