FETT BUG BOUNTY
WHAT: DARPA’s FETT Bug Bounty will perform crowdsourced Red Team testing on the secure processors in development on the DARPA SSITH program. Participants are invited to attack the software layer running on a variety of these secure processors to exploit any known or unknown vulnerabilities based on a hardware weakness that SSITH aims to mitigate. Discovered vulnerabilities will result in a cash bounty.
WHY: To ensure the SSITH secure processors are capable of addressing common classes of hardware vulnerabilities, DARPA is turning to the best and brightest security researchers, analysts, and hackers from across the world to help identify bugs and weaknesses in SSITH hardware. Once identified, the SSITH research teams will be able to further harden the defenses and improve upon their existing designs.
WHO: FETT will utilize Synack’s established community of vetted, ethical researchers – or Synack Red Team (SRT) members – as well as security researchers that earned a Technical Assessment “Fast Pass” through Synack’s CTF event.
HOW: Through Synack’s platform, researchers will be granted access to one of several SSITH technology instances hosted in the cloud. The SSITH instances include both 32-bit microcontrollers and 64-bit RISC-V CPUs running FreeRTOS, Linux, or FreeBSD, with an associated software stack designed to test one or more CWE classes.
The SSITH technology instances are:
| Lockheed Martin 32-bit Microcontroller Instance |
|
| University of Michigan 32-bit Microcontroller Instance |
|
| Lockheed Martin 64-bit CPU Instance |
|
| MIT 64-bit CPU Instance |
|
| SRI/Cambridge 64-bit CPU Base Instance |
|
WHEN: The FETT evaluation effort will run from July through September 2020.