The University of Michigan recently developed a so-called “unhackable” computer chip that has defeated more than 500 hackers during a three-month bug bounty effort. DARPA partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a crowdsourced security platform, to run this bug bounty program.
Tens of thousands of dollars were offered to anyone who could analyze and break into the chip dubbed “MORPHEUS.” However, the chip passed its security tests unscathed.
Twenty times a second, MORPHEUS will re-randomize key parts of its own code. Image used courtesy of the University of Michigan
While the prize of thousands of dollars may not have been enough to pique the interest of top-tier hackers, and MORPHEUS might not really be “unhackable,” the chip’s resilience against so many attacks suggests a secure architecture worth investigating.
What are some common vulnerabilities of computer chips and how does an attacker use them to break into a system? In this article, we’ll take a look at some of the major techniques MORPHEUS uses to thwart these attacks.
First, Some Background on Undefined Behavior
When writing computer programs, we make assumptions about the circumstances under which certain program statements will be executed. If these conditions are not met, the program statement can have undefined semantics—and anything can happen.
An example of undefined behavior in C programming is indexing an array outside of its defined bounds. Another common example is buffer overflow. Assume that we use an 8-byte array to store some data. If the data assigned to this array occupies more than 8 bytes, the program will write the excess data past the array boundary. C and C++ programming languages have several different forms of undefined behavior.
If we assign a 10-byte value to an 8-byte buffer, the buffer will overflow and the excess bytes will be stored at the memory locations past the array boundary.
It should be noted that it is possible to create programming languages that execute statements only if they have a precisely defined behavior; however, this will involve some run-time monitoring and will slow the execution down. That’s why some programming languages accept the possibility of having undefined behavior to offer a higher speed. With such programming languages, it is the obligation of the programmer to make sure that undefined behavior will not cause any issues in the software execution.
Undefined Behavior Leads to Security Vulnerabilities
Again consider the buffer overflow example. With a buffer that gets some value from users, it is actually possible for attackers to overwrite the memory locations past the buffer boundary with arbitrary data. In this way, one might be able to overwrite the content of the memory locations that hold the executable code and replace it with their own code.
Or, they might be able to locate a sensitive pointer and overwrite it with a value designed to change the execution path of the program. Buffer overflow is a common attack technique for computer programs that are written in C and C++.
The above discussion shows that the attackers need some critical information about the system, such as a representation of code and pointers, or the exact location of code and data to exploit the system vulnerabilities.
A secure hardware architecture should prevent the attacker from obtaining these key program values. This is exactly what MORPHEUS, the “unhackable” computer chip, accomplishes. MORPHEUS uses several techniques to build a fortress against attackers.
MORPHEUS’ Strategy: Moving Target Defenses
Moving target defenses is one of the important techniques that MORPHEUS uses to thwart attacks. This method is based on the idea that although the system has vulnerabilities such as those originating from undefined behavior, it is possible to thwart attacks by preventing the attacker from obtaining the critical system information. This technique randomizes critical program values, such as code location and pointer values, so the attacker cannot discover the state of the system and exploit the system bugs.
The researchers at the University of Michigan are not the first to employ this randomization technique; however, they leverage a high randomization space (referred to as bits of entropy) to increase the probe time the attacker needs to discover the state of the system.
The following table lists some of the common randomization techniques and the attacks developed to defeat them.
Common randomization techniques. Image used courtesy of the University of Michigan
The table also gives the entropy of each technique as well as the estimated times for the attack techniques.
A Continually Re-arranging “Rubik’s Cube”
Moving target defenses randomize the critical information each time the program runs. This increases the estimated probe time. With enough time, however, the attacker may successfully discover the information needed to launch an attack.
To address this issue, MORPHEUS uses a technique referred to as churn that re-randomizes key program values every 50 ms. Such a short churn period does not allow the attacker to have sufficient time to obtain the required information. This is similar to solving a Rubik’s Cube that rearranges itself every time you blink.
The image below shows how MORPHEUS uses moving target defenses and churn techniques to present a fortress to attackers.
Depiction of moving target defenses and churn techniques. Image used courtesy of the University of Michigan
Speedy Attack Detection Is Key
In addition to using the churn technique to periodically re-randomize the key program values, MORPHEUS uses an attack detection mechanism that further increases the churn trigger rate when a potential attack is detected.
The architecture of MORPHEUS. Image used courtesy of the University of Michigan
The above techniques enable MORPHEUS to re-randomize key program values about 5,000 times faster than estimated attack times. Interestingly, although the new architecture uses 504 bits of entropy and 50 ms churn period, it has only a 1% average slowdown (7% worst case) for SPEC’06 and MiBench benchmarks.