Galois awarded $10m DARPA contract to make legacy systems more secure
Galois of Portland, OR announced on May 25 that it has been awarded a $10 million contract by the Defense Advanced Research Projects Agency (DARPA) Cyber Fault-tolerant Attack Recovery (CFAR) program to make security vulnerabilities lurking in military and commercial legacy, embedded and other mission critical systems code bases unexploitable.
The current approach to software security places military and civilian organizations at a disadvantage, as they must constantly play catch-up with attackers. Attackers need to find only one way in, while defenders must cover every exploitable avenue. Having to rely on individual software vendors to patch their software in a timely manner leaves defenders at a constant disadvantage. The situation is worse in legacy environments, where patches may be delayed or not available.
The DARPA CFAR program seeks revolutionary breakthroughs in defensive cyber techniques that protect existing and future software systems in both military and civilian contexts – without requiring changes to the concept of operations of these systems. The program is based on the introduction of diversity into the software ecosystem, providing protection via variation and unpredictability in much the same way that genetic variation among populations acts as a natural check against the proliferation of disease. Furthermore, by running multiple diverse variants of a piece of software, differences in behavior can be used to detect and recover from attacks.
The Galois-led team, which also includes Trail of Bits, Immunant, and University of California, Irvine, aims to support this goal by developing novel ways to prove correctness, security, and related properties of existing and future software systems. Galois’ Robust, Assured Diversity for Software Systems (RADSS) solution, based on years of research into software diversity, multi-variant execution, and program verification, will explore diversity-based defenses to new classes of attack and also address key challenges that currently prevent widespread deployment of these technologies, including:
- Establishing trust in the system and the diversified variants
- Enabling smooth recovery in case of attack
- Diversifying binary-only programs
- Support for multi-threaded and multi-process applications
“By combining multi-execution and software diversity, the CFAR program qualitatively changes the calculus of defense,” said Stephen Magill, software security research lead at Galois. “Many modern defenses are based on adding unpredictability to software, thereby decreasing the attacker’s chance of success. Combining unpredictability with multi-execution further decreases these chances and has the potential to take certain types of attack entirely off the table.”