adimas - Fotolia

DARPA's SSITH program takes aim at hardware vulnerabilities

News roundup: DARPA's SSITH program tackles hardware vulnerabilities for better security. Plus, new risks placed in OWASP Top 10, SWIFT launches new anti-fraud tool, and more.

The U.S. Defense Advanced Research Projects Agency is calling for proposals to develop more secure chips through its System Security Integrated Through Hardware and Firmware program.

DARPA wants to build a framework that will support building security protections directly into hardware. The Agency has previously focused on software security but says that's not enough.

"Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as 'patch and pray,'" said SSITH program manager Linton Salmon in DARPA's announcement. "This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software."

The System Security Integrated Through Hardware and Firmware, or SSITH, program focuses on the hardware vulnerabilities found in Mitre's Common Weakness Enumeration (CWE), which is a community-developed list of common software weaknesses. These include permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection.

According to DARPA's announcement of the SSITH program, researchers have documented approximately 2,800 software breaches that used one or more of the hardware vulnerabilities listed in the CWE. According to Salmon, fixing these hardware flaws would eliminate 40% of the current software vulnerabilities.

"The strategic challenge for participants in the SSITH program will be to develop new integrated circuit (IC) architectures that lack the current software-accessible points of illicit entry, yet retain the computational functions and high-performance the ICs were designed to deliver," the announcement states. "Another goal of the program is the development of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of ICs in both Defense Department and commercial electronic systems."

The SSITH program is expected to last for 39 months and will focus on two areas. The first is the development of "architectures that protect against one or more" of the vulnerabilities listed in the CWE and the tools needed to do that. The second is the development of "methodologies and metrics for measuring" the security of new products versus the performance of those products.

DARPA is hosting a Proposers Day on April 21 for those interested in submitting proposals to SSITH.

In other news:

  • The Open Web Application Security Project (OWASP) updated its list of the top 10 most critical web application security risks, adding two new risks and combining two old ones. The first new risk, coming in seventh place, is insufficient attack protection. "Web application firewalls have been ineffective at blocking application attacks because they have no context for what they are protecting," wrote Jeff Williams a founder and contributor to OWASP. Applications need to be able to detect, prevent and react to all attacks. The second new vulnerability, underprotected APIs, joins the list in tenth place. The use of APIs has grown considerably in recent years and security hasn't kept up. "The complexity of ... APIs makes them difficult for other tools to analyze and protect," wrote Williams. "This leads to a false sense of APIs security in many companies as their tools simply can't see either vulnerabilities or attacks." The top three OWASP application vulnerabilities both in 2013 and in 2017 are injection, broken authentication and session management, and cross-site scripting; two vulnerabilities on the old list, insecure direct object references (No. 4) and missing function level access controls (No. 7), were merged into a single vulnerability -- broken access control, No. 4 on the new list.
  • The interbank messaging service SWIFT is rolling out a new tool to prevent fraudulent messages. The new fraud-prevention tool allows SWIFT customers to screen their payment messages and detect unusual messages before they're transmitted. This new fraud-prevention service will provide real-time alerts to customers about out-of-policy messages and other potentially risky activity, as well as unusual messaging patterns. The tool is part of SWIFT's customer security program that launched in May 2016 after hackers exploited SWIFT and stole $81 million from Bangladesh central bank's account at the Federal Reserve Bank of New York. The attackers had attempted to steal $1 billion from the bank and since the incident, SWIFT has been slowly stepping up its security measures. "The new payment controls service is a direct response to our community's request for additional services to complement and strengthen existing fraud controls," said Yawar Shah, the chairman of SWIFT. "Through the development of new products, like the payment controls service and the roll out of the broader Customer Security Programme, SWIFT is demonstrating its commitment to delivering innovative community-based solutions that significantly enhance risk-management in cross-border payments."
  • The security community is reacting to the new Microsoft Patch Tuesday format by petitioning Microsoft to bring back the old security bulletins. April 2017 was the first month with the new system and the change has been anything but smooth. "While it's appreciated to have a searchable database in the Security Update Guide, it is too cumbersome to use to quickly get the information needed on Update Tuesday," wrote one petitioner. "Furthermore, many of the links in the guide were dead [on Tuesday]. To get the same information took way too many steps and required collaboration with other sources to confirm information. ... Please don't make the jobs of the IT professionals who depend on this information any harder." Microsoft's Patch Tuesday release is now in the format of a Security Update Guide that focuses more on the Common Vulnerabilities and Exposures targeted in a specific patch. Microsoft first announced the change in November 2016 and was originally due to roll out in February 2017.

Next Steps

Learn more about improving bank network communications security

Find out why hardware security issues are so tough to find and fix

Check out ways to avoid security issues when recycling hardware

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing