Experimental Morpheus CPU is ‘mind-bogglingly terrible’ to crack

To many of us, Morpheus is a character played by Laurence Fishburne in The Matrix movies. To others, Morpheus is the Greek god of sleep and dreams. To others still, Morpheus is a digital synthesizer from the early ‘90s that developed a cult following.The Morpheus we’re discussing today, however, is of far greater relevance to enterprise IT professionals who constantly are searching for ways to protect their networks from the ever-present threat of hackers.

Developed by a team at the University of Michigan, this Morpheus is a CPU that ingeniously protects against hacking attempts by using encryption that changes every few milliseconds, which prevents intruders from getting a fix on how a system is set up. This makes cracking the encryption nearly impossible and is sure to drive hackers crazy.

How effective is Morpheus? According to Samuel K. Moore of IEEE Spectrum, 580 cybersecurity researchers spent a total of 13,000 hours attempting to hack into Morpheus (and four other experimental secure CPUs) last summer during a test as part of a US Defense Advanced Research Program Agency (DARPA) program known as Security Integrated Through Hardware and Firmware (SSITH). None of the 580 cybersecurity pros were successful.

“A total of 10 vulnerabilities were uncovered among the five processors developed for SSITH, but none of those weak points were found” in Morpheus, Moore writes. The goal of the DARPA program is to create processors that are impervious to widespread hardware vulnerabilities that hackers target with malware.

It’s not that Morpheus is free of vulnerabilities; it’s that it makes finding likely attack points so difficult that attackers won’t even try, which, if successful, can eliminate whole classes of exploits.

Todd Austin, a University of Michigan professor of electrical engineering and computer science, explained to Moore why Morpheus is virtually impenetrable.

“Our idea was that if we could make it really hard to make any exploit work on it, then we wouldn’t have to worry about individual exploits,” Austin says. “We just would essentially make it so mind-bogglingly terrible to understand that the attackers would be discouraged from attacking this particular target.”

(This strategy reminds me of the guys on YouTube who string along and torture scammers by pretending they’re old or computer-illiterate, eventually forcing the scammers to give up in impotent rage and frustration–a technique I wholly endorse and heartily enjoy!)

Specifically, Austin says, Morpheus makes “the underlying implementation of the machine—the undefined semantics—change every few hundred milliseconds.” That in turn makes each underlying implementation so unique that the current one will never again be seen on any other machine. “It is completely unique in time and space.”

To be clear, Morpheus is a work in progress that has some limitations.

First, while it may make the prospect of successfully attacking it mind-bogglingly terrible, that doesn’t mean it can’t be done; it’s just extremely unlikely. And it can easily thwart “side channel” attacks such as Spectre and Meltdown, Austin says, but “it only stops low-level attacks” and not SQL injection or other higher-level exploits.

As for when Morpheus will be available commercially, that’s a bit up in the air, though Austin says the University of Michigan is partnering with DARPA to commercialize the processor for use in the cloud.

If you want to learn more about Morpheus, here’s a roughly one-hour YouTube video of Austin explaining the research and technology in far greater detail than I can in a blog post. And if you don’t have an hour to spare but want a Morpheus fix, here’s the scene in the first Matrix movie where Keanu Reaves as computer programmer Thomas Anderson/hacker Neo meets our namesake. Do you want to take the red pill or blue pill?