An “unhackable” computer chip lived up to its name in its first bug bounty competition, foiling over 500 cybersecurity researchers who were offered tens of thousands of dollars to analyze it and three other secure processor technologies for vulnerabilities. MORPHEUS, developed by computer science researchers at the University of Michigan, weathered the three-month virtual program DARPA dubbed the Finding Exploits to Thwart Tampering—or FETT—Bug Bounty without a single successful attack. In bug bounty programs, organizations or software developers offer compensation or other incentives to individuals who can find and report bugs or vulnerabilities.
DARPA, the Defense Advanced Research Projects Agency, partnered with the Department of Defense’s Defense Digital Service and Synack, a crowdsourced security platform, to conduct FETT, which ran from June through August 2020. It also tested technologies from MIT, Cambridge University, Lockheed Martin and nonprofit tech institute SRI International. The U-M team achieved its results by abandoning a cornerstone of traditional computer security—finding and eliminating software bugs, says team leader Todd Austin, the S. Jack Hu Collegiate Professor of Computer Science and Engineering. MORPHEUS works by reconfiguring key bits of its code and data dozens of times per second, turning any vulnerabilities into dead ends for hackers.
MORPHEUS blocks potential attacks by encrypting and randomly reshuffling key bits of its own code and data twenty times per second.
“Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink,” Austin said. “That’s what hackers are up against with MORPHEUS. It makes the computer an unsolvable puzzle.”
MORPHEUS has previously proven itself in the lab, but the FETT Bug Bounty marks the first time that it was exposed to a group of skilled cybersecurity researchers from around the globe. Austin says its success is further proof that computer security needs to move away from its traditional bugs-and-patches paradigm. “Today’s approach of eliminating security bugs one by one is a losing game,” he said. “Developers are constantly writing code, and as long as there is new code, there will be new bugs and security vulnerabilities. With MORPHEUS, even if a hacker finds a bug, the information needed to exploit it vanishes within milliseconds. It’s perhaps the closest thing to a future-proof secure system.”
For FETT, the MORPHEUS architecture was built into a computer system that housed a mock medical database. Computer experts were invited to try to breach it remotely. MORPHEUS was the second-most popular target of the seven processors evaluated.