Everything can be infiltrated, locked, or stolen. That thought has long steered battling cybersecurity experts and black-hat hackers alike, one side building walls and the other tunneling beneath them. But what if it’s bogus?
University of Michigan researchers said a computer can be designed to be “unhackable,” according to a press release from the school. And the military apparently agrees. The Defense Advanced Research Projects Agency (DARPA) has put $3.6 million toward a university project that aspires to build an impenetrable computer.
“We are making the computer an unsolvable puzzle,” said Todd Austin, the University of Michigan computer science and engineering professor who heads MORPHEUS, the name of the endeavor. “It’s like if you’re solving a Rubik’s Cube and every time you blink, I rearrange it.”
If the effort proves successful, it could forever change computing and cybersecurity. This is, of course, significant for healthcare, whose data, networks, and devices have increasingly become under siege by bad actors who are often chasing ransom money or disruption. Experts have noted that cyberattacks in healthcare put lives at risk and expose some of the most sensitive data in society: medical information. Despite this, the industry has remained far behind other sectors in fortifying its cyber defenses.
But how could a computer be “unhackable,” anyway? Through MORPHEUS, Austin and his team hope to change how hardware is designed, providing for the rapid and random mobilization and destruction of information. The innovation could safeguard software and hardware alike, keeping hackers from the data they desire, according to the university. Essentially, the idea is to transform circuits into “unsolvable puzzles,” the school noted.
Take the Heartbleed bug that, in 2014, exposed passwords and other sensitive information to hackers. Had MORPHEUS been around, it would have changed where those keys were stored, leaning on encryption and domain enforcement to further safeguard the information. Ultimately, according to the university, the innovation would have rendered the bug ineffective.
This setup is a big leap from current cybersecurity standards. The industry relies on software and patches for existing vulnerabilities, Austin noted, a model that has been summarized as “patch and pray.” But his ever-shifting Rubik’s Cube design can shield information, systems, and users from unknown vulnerabilities, or zero-day exploits.
“What’s incredibly exciting about the project is that it will fix tomorrow’s vulnerabilities,” Austin said. “I’ve never known any security system that could be future-proof.”
Earlier this year, DARPA said it would bankroll $50 million for projects geared toward implementing cybersecurity fixes in hardware, a list that now includes MORPHEUS. Austin said the type of defenses he’s exploring are “too expensive to implement in software,” but DARPA’s backing can defend software by way of hardware. The technology is available now, and he hopes to develop the product at “low cost,” the university noted.
DARPA, meanwhile, wants to kill 7 types of hardware weaknesses that lead to 40% of software openings trafficked by malicious hackers. The agency hopes to wipe out vulnerabilities in permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection within 5 years.
“Instead of relying on Band-Aids to hardware-based security issues, we are aiming to remove those hardware vulnerabilities in ways that will disarm a large proportion of today’s software attacks,” said Linton Salmon, who manages the DARPA program.