WHAT: DARPA’s FETT Bug Bounty will perform crowdsourced Red Team testing on the secure processors in development on the DARPA SSITH program. Participants are invited to attack the software layer running on a variety of these secure processors to exploit any known or unknown vulnerabilities based on a hardware weakness that SSITH aims to mitigate. Discovered vulnerabilities will result in a cash bounty.

WHY: To ensure the SSITH secure processors are capable of addressing common classes of hardware vulnerabilities, DARPA is turning to the best and brightest security researchers, analysts, and hackers from across the world to help identify bugs and weaknesses in SSITH hardware. Once identified, the SSITH research teams will be able to further harden the defenses and improve upon their existing designs.

WHO: FETT will utilize Synack’s established community of vetted, ethical researchers – or Synack Red Team (SRT) members – as well as security researchers that earned a Technical Assessment “Fast Pass” through Synack’s CTF event.

HOW: Through Synack’s platform, researchers will be granted access to one of several SSITH technology instances hosted in the cloud. The SSITH instances include both 32-bit microcontrollers and 64-bit RISC-V CPUs running FreeRTOS, Linux, or FreeBSD, with an associated software stack designed to test one or more CWE classes.

The SSITH technology instances are:

Lockheed Martin 32-bit Microcontroller Instance
  • IoT based over-the-air update client running on FreeRTOS
University of Michigan 32-bit Microcontroller Instance
  • COVID-19 Medical records database server running on FreeRTOS
Lockheed Martin 64-bit CPU Instance
  • Voter registration system
  • Debian Linux distro with userland and applications
MIT 64-bit CPU Instance
  • AES engine in secure enclave
  • Password authentication module in secure enclave
  • Debian Linux distro with userland applications
SRI/Cambridge 64-bit CPU Base Instance
  • Voter registration system
  • FreeBSD distro with userland and applications

WHEN: The FETT evaluation effort will run from July through September 2020.

You are now leaving the website that is under the control and management of DARPA. The appearance of hyperlinks does not constitute endorsement by DARPA of non-U.S. Government sites or the information, products, or services contained therein. Although DARPA may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.

After reading this message, click  to continue immediately.

Go Back