author photo
By Bruce Sussman
Thu | Apr 8, 2021 | 12:17 PM PDT

Does the term unhackable send you into fits of laughter?

Or does it make you wave your hand in the air as if to dismiss that possibility without needing a second thought? 

Before you do either of those things—again—consider this: a new computer chip remains unhacked after DARPA and more than 500 cybersecurity researchers tried to break through its security. 

And the developers say this chip could end the "patch and pray" strategy that keeps security teams running in circles and lower the stress level of CISOs in the process.

MORPHEUS chip: unhackable because of 'encryption churn'?

The University of Michigan developed the chip, which it calls MORPHEUS. 

The name might have tipped you off to a key feature; it morphs before attackers can figure out how to crack the chip's security. 

"Imagine trying to solve a Rubik's Cube that rearranges itself every time you blink," says Todd Austin, U-M Professor of Computer Science and Engineering. "That's what hackers are up against with MORPHEUS. It makes the computer an unsolvable puzzle."

Austin calls this encryption churn and says it prevents reverse engineering, which sophisticated hackers sometimes use.

A recent University of Michigan update on the chip explains how this operates:

"It focuses on randomizing bits of data known as 'undefined semantics.' Undefined semantics are nooks and crannies of the computing architecture—for example the location, format, and content of program code. They're part of a processor's most basic machinery, and legitimate programmers don't generally interact with them. But hackers can reverse-engineer them to uncover vulnerabilities.

Encryption randomizes the important undefined semantics that hackers need to launch a successful attack, while churn re-randomizes them while the system is running.

This puts attackers in a race against the clock to discover the information that they need. Austin said that the churn rate is normally kept low to keep system performance high. But when a would-be hacker exercises an undefined semantic in an attempted attack, the churn rate spikes, stopping attackers in their tracks."

The unhackable chip bug bounty competition

The U.S. Defense Advanced Research Projects Agency (DARPA) hosted a competition to see if the MORPHEUS chip could be hacked. More than 500 security researchers had the chance to win tens-of-thousands of dollars in bounties if they could break through the encryption churn.

They could not, even though they had three full months to do it.

The chip's creators say if this impenetrability holds, it could change security as we know it.

Could unhackable computer chip 'end patching' as we know it?

Todd Austin, team leader of the U-M project, says his team achieved its results on the chip project by abandoning a cornerstone of traditional computer security—finding and eliminating software bugs.

"Today's approach of eliminating security bugs one by one is a losing game," Austin says. "Developers are constantly writing code, and as long as there is new code, there will be new bugs and security vulnerabilities. With MORPHEUS, even if a hacker finds a bug, the information needed to exploit it vanishes within milliseconds. It's perhaps the closest thing to a future-proof secure system."

Could MORPHEUS chip be a security moonshot?

Talk of an unhackable technology reminds me of a fireside chat I saw at a SecureWorld conference a few years ago. Pete Chronis, former CISO at Warner Media (HBO, Turner Broadcasting, etc.), was discussing his recent book about fixing cybersecurity.

He told the audience that security needs a game changer. This is from the back cover of his book:

"In The Cyber Conundrum... Chronis explores the state of American cybersecurity and finds it woefully inadequate to meet the threat. He calls for a 'moonshot'—a profound, coordinated effort to bolster cybersecurity to protect our democracy, economy, and individual digital identities."

This talk of a moonshot continues to bounce around both IT security and government circles.

In 2018, for example, the National Security Telecommunications Advisory Committee (NTSAC) issued a special publication: NSTAC Report to the President on a Cybersecurity Moonshot.

Could the new MORPHEUS chip design be a moonshot moment for security? Only time will tell.

Comments