Hardened Adversarial Challenge



The DARPA VET program program is developing techniques to determine that the software and firmware shipped on commodity IT devices is free of broad classes of backdoors and other hidden malicious functionality. Common examples of commodity IT devices include mobile phones, network routers, printers, and computer workstations. If present, backdoors and other hidden malicious functionality could enable an adversary to use commodity IT devices as tools to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. The VET program seeks to develop and demonstrate new tools and techniques to establish that vetting every new device in a timely fashion at scale across large organizations is technically feasible.

The HAVoC project supports the VET goals by developing large, real-world benchmarks for 3rd parties to independently evaluate the effectiveness of their vetting approaches. This cleanly separates the duties of defensive technique development from performance evaluation. This is especially important in security research as otherwise if both duties are performed by the same party, they may unintentionally bias the malice towards the solution or the solution towards malice. These articles are also implemented on full sized designs representative, which enable scalability testing.

HAVoC provides a series of challenges on FPGA firmware, or netlists. Modeling the threat vector of commodity IT devices, no source code is provided, only the flattened netlist with hashed signal names. The type of commodity device and an end-user level guide is provided, which does allow for vetting approaches to be customized to a particular application domain. In some cases, a deployment scenario is also provided. The deployment scenario describes how the IT device is to be utilized, and therefore which features may or may not be in scope of the vetting tests. The Challenges page provides more information on the engagement details.

This material is based on research sponsored by the Defense Advanced Projects Agency (DARPA) and the Space and Naval Warfare Systems Center (SSC) Pacific under agreement number N66001-13-2-4042. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of DARPA or SNWSC.