Engineers have designed a computer processor that thwarts hackers by randomly changing its microarchitecture every few milliseconds. Known as Morpheus, the puzzling processor has now aced its first major tests, repelling hundreds of professional hackers in a DARPA security challenge.
In 2017, DARPA backed the University of Michigan’s Morpheus project with US$3.6 million in funding, and now the novel processor has been put to the test. Over four months in 2020, DARPA ran a bug bounty program called Finding Exploits to Thwart Tampering (FETT), pitting 525 professional security researchers against Morpheus and a range of other processors.
The goal of the program was to test new hardware-based security systems, which could protect data no matter how vulnerable the underlying software was. Morpheus was mocked up to resemble a medical database, complete with software vulnerabilities – and yet, not a single attack made it through its defenses.
There’s basically no such thing as bug-free software, and in many cases these bugs can be exploited by hackers. Software developers will usually patch them up when they find them, but that often doesn’t happen until after an attack, and hackers will just move onto the next vulnerability. The cycle continues in a never-ending arms race between hackers and developers.
More recently, computer scientists are realizing that hardware can play an important role in security. To design a piece of malware, hackers need to understand the microarchitecture of a processor, so they can figure out where to inject their malicious code. Locking down the system at the hardware level could potentially end the arms race once and for all.
That was the design philosophy behind Morpheus. Essentially, the processor starts by encrypting key information, such as the location, format and content of data. But that’s not enough on its own – a dedicated hacker could still crack that code within a few hours.
And that’s where Morpheus gets clever – the system shuffles that encryption randomly every few hundred milliseconds. That way, even if a hacker somehow manages to get a picture of the entire processor, it’ll completely change before they have a chance to act on it.
“Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink,” says Todd Austin, lead researcher on the Morpheus project. “That’s what hackers are up against with Morpheus. It makes the computer an unsolvable puzzle.”
Importantly, this difficulty doesn’t apply to programmers or users, because the card shuffling happens at a level that legitimate users of the system don’t directly interact with. The main side effect is that apparently Morpheus runs about 10 percent slower than an otherwise equivalent system would, but that’s a pretty good trade-off for a virtually unhackable processor. Plus, the team says that further refinement could speed the system up.
With its tough shell now proven, the Morpheus team says that the next steps for the project are to adapt the technology to use it to try to protect data in the cloud.