World's best 500+ cybersecurity experts fail to hack the Morpheus processor
A couple of years ago, we were reporting on the announcement of the “unhackable” Morpheus computer processor developed by the computer science researchers at the University of Michigan in the US. On paper, the processor presented quite the paradigm shift from traditional cybersecurity that usually relies on finding and eliminating software bugs, as Morpheus is designed to reconfigure key bits of its code and data dozens of times per second, turning any vulnerabilities into dead ends for hackers. However, in practice, it seemed that, given enough time, and with the aid of powerful AI tools, the sophisticated walls raised by Morpheus could eventually be breached. DARPA wanted to test this theory and amassed over 500 of the best cybersecurity experts in the world to try and hack Morpehus, but no one succeeded.
The Morpheus hacking challenge was part of a bug bounty program dubbed Finding Exploits to Thwart Tampering (FETT) organized by DARPA, the Department of Defense’s Defense Digital Service (DDS) and Synack - a crowdsourced security platform. This program ran from June through August of 2020 and evaluated the integrity of the Morpheus processor along with similar solutions developed by MIT, Cambridge University, Lockheed Martin and non-profit tech institute SRI International. It looks like only Morhpeus emerged unscathed. According to University of Michigan team leader Todd Austin, the success of the Morpheus processor is further proof that computer security needs to move away from its traditional bugs-and-patches paradigm.
“Today’s approach of eliminating security bugs one by one is a losing game,” Austin said. “Developers are constantly writing code, and as long as there is new code, there will be new bugs and security vulnerabilities. With Morpheus, even if a hacker finds a bug, the information needed to exploit it vanishes within milliseconds. It’s perhaps the closest thing to a future-proof secure system.”
As part of the FETT program, cybersecurity experts were offered tens of thousands of dollars to breach a computer system powered by Morpheus that housed a mock medical database. The Morpheus system was the second-most popular target of the seven processors evaluated under FETT. Experts tried to hack Morpheus by reverse-engineering the processor’s most basic machinery like the location, format and content of program code, also known as “undefined semantics.” This approach is rendered ineffective by the chip’s ability to protect undefined semantics through “encryption and churn.” Encryption randomizes the important undefined semantics that hackers need to launch a successful attack, while churn re-randomizes them while the system is running. Austin explains that the churn rate is normally kept low to keep system performance high, but when a would-be hacker exercises an undefined semantic in an attempted attack, the churn rate spikes, stopping attackers in their tracks.
Since it managed to foil every cyber-attack, the Morpheus chip was awarded by DARPA with an A rating, which stands for “Approved for Public Release, Distribution Unlimited.”