Morpheus: A new light into unhackable devices

By Nick Drapas

INTRODUCTION

In today’s world, electronics are used daily and are becoming crucial in various fields. We see implantable devices, computers for our daily works, smartphones, intelligent home security systems. They need to be secured so that no confidential information will be leaked and protects the devices for them not to be handled in a malicious way which in severe cases can lead to deaths. This is where cybersecurity comes into play. These devices have been secured in so many ways but to no avail. Malicious third parties always manage to find loopholes they can exploit to their end.

Today’s approach against security issues is to have developers write new codes to eliminate bugs one by one as they are discovered. But this is like going back to the same repeatedly because as new codes are written, new vulnerabilities and bugs will be discovered by hackers. The Morpheus processor chip tried a different approach to block attacks from various sources. A severe attack that devices face is when hackers try to reverse-engineer a processor’s most basic machinery. This is the location, format, and content of program code, which are barely used by the app itself. These are known as undefined semantics. This approach is rendered ineffective by the Morpheus chip’s ability to protect all undefined semantics through its security system design approach known as Ensembles of Moving Target Defenses (EMTDs) with churn. It works in a way that systematically randomizes all these undefined semantics needed to perform an attack reinforced by the hardware, which makes it possible to enable all these targets to be moving simultaneously. This randomization happens at such a speed said to be a few thousands time faster than the fastest hacking device. It was compared to a Rubik’s Cube that rearranges itself every time you blink, completely unsolvable. The best experts worldwide in cybersecurity were invited and asked to breach it with tens of thousands of dollars on the line, but after three months, it is still intact and was approved for public release.

EXAMINING THE MORPHEUS ARCHITECTURE

This architecture is clearly and thoroughly defined in ‘’ Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn’’ this is a brief overview of it: “As shown in the figure above, Morpheus is a 64-bit RISC-V-based secure architecture that uses EMTDs with churn to defend control-flow attacks. Morpheus deploys moving target defenses to randomize key values needed for these attacks: i) code, ii) code pointers, and iii) data pointers. These domains can be aggressively churned without breaking normal programs in the architecture. Morpheus’ moving target defenses rely on the domain tagging mechanism to precisely track the domain of all memory objects at runtime. Morpheus leverages these tags to implement two moving target defenses – pointer displacement, which obscures pointer values by adding a random displacement to them by domain, and domain encryption, which encrypts all domains in the program under their keys. Both defenses can be re-randomized at runtime by the churn unit. To do this efficiently, the churn unit updates the necessary values while program execution continues. Additionally, Morpheus includes an attack detector to sense when a potential attack is in progress and ramp up the churn rate to strongly repel the attack.”

This explains the various levels of architecture of this device. There is a specific mechanism in wait to try and detect an attack and deflect it at each level. It secures the vulnerabilities that most devices and securities have a hard time keeping up with because it targets their core architecture. The majority of these attacks are called control flaw attacks. They target the device on its core, precisely these undefined semantics, and try to reverse engineer them and perform a deadly attack. After seeing how this device is built, we now need to look at this crucial feature that would make even the most patient hackers give up.

ANALYSING THE EMTDs with Churn

Conventional attacks usually work following a pattern that goes first with probing the system; this is to localize the various undefined semantics, which are the vulnerabilities in the system. Then they create an attack that will best exploit this vulnerability depending on which one it is; this is the weaponization part. Then the designed attack is launched into the system, and thus, it corrupts the targeted point and allows the hacker to do what he created his attack for. If EMTs are added to the device, it will try to randomize these vulnerabilities but not to a completely safe level, we see that it will delay the attack by some time, but it is still breachable. Then we add in the Churn mechanism, which will re-randomize the already randomized vulnerabilities and keeps on doing this so fast that it is computationally infeasible to get the breach the hacker needs to lunch an attack. The churn period is up to 50 ms, a few thousand times faster than the time required to lunch a successful attack. The size of the randomization allowed by this device is 504 bits. Hence the randomization leads to 2504 possibilities. First, EMTDs force the attacker by extensively probing the system to find the random values required for an attack. This extensive probe will be detected by the defensive system and have Churn re-randomize these values at runtime without weighing so much on the resources required for the system to operate. For example, the attack below:

void target() {
printf("You overflowed successfully, gg");
exit(0);
}
void vulnerable(char* str1) {
char buf[5];
strcpy(buf, str1);
}
int main() {
vulnerable("ffffffffffffffff\xf0\x03\x02\x01");
printf("This only prints in normal control flow");
}

With these two measures deployed under the code above, the attacker would need to research the function target() extensively. With churn, this function will be repeatedly moved in between the address space as the search continues. Thus, the probe launched will only succeed on the tiniest possibility that target() drives to the immediate vicinity of the probe’s quest.

Other types of defenses are to randomize these semantics too. Still, because the cost and the overhead caused by multiple moving target defenses is too much, they usually only have one target move at any time. But the Morpheus device, even with its numerous moving target defense, is still running without adding any strain on the system, hence a low overhead. This shows that this device is cost-effective since adding these doesn’t take a toll on the system.

CONCLUSION

The Morpheus device provides excellent security against attacks that tend to use the vulnerabilities of undefined semantics. But that is not all, and it also protects the device against other attacks like stack buffer-overflow attack, format string, and back-call-back attack. While traditional approaches try to localize and solve the vulnerabilities, EMTDs with churn take the initiative to shift and randomize at a breakneck speed any such vulnerability as soon as any malicious attempt is discovered. This is possible to be implemented in other devices because, as performant as it is, it doesn’t need too many resources to perform its various tasks. The Morpheus device was even able to block an attack created after it was designed. This also adds on its merit as providing some level of future-proofing against some unknown future attacks. In the future, the developers should try to design a device that works like this and defending against more attacks. The main idea is to have a system that can identify malicious activities and make it impossible for the attack to reach its destination or probing vulnerabilities not even to be possible. It should evolve with the advancement of sciences like quantum cryptography because there is something called Quantum supremacy. This is when a Quantum device can perform tasks at speed exponentially greater than ordinary devices. This is a Quantum device that can work in a few hours what will take normal device years and years to execute. So if this technology does not evolve in this sense, it won’t last long once an attack of this level is executed on it. But this still represents good advancement, new ideas, and groundwork for future improvements.

Reference

  1. Griffin, M.(2021, March 19). 500 hackers spent three months trying to hack a radical new computer chip and failed. Fanatical Futurist. https://www.fanaticalfuturist.com/2021/03/500-hackers-spent-three-months-trying-to-hack-a-radical-new-computer-chip-and-failed/
  2. Solca, B.(2021, June 03). World’s best 500+ cybersecurity experts fail to hack the Morpheus processor. Notebook check. https://www.notebookcheck.net/World-s-best-500-cybersecurity-experts-fail-to-hack-the-Morpheus-processor.526402.0.html
  3. Mark, G., Lauren, B., Shibo, C., Zelalem, B, A., Salessawi F, Y., Misiker T, A., Austin, H., Zhixing, X., Baris, K., Valeria, B., Sharad, M., Mohit, T., Todd, A. (2019). Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn. ASPLOS : Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, 19, 469–484. https://doi.org/10.1145/3297858.3304037

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s