On February 20, Galois of Portland, OR announced that it has been awarded a $6 million (base plus option) contract by the Office of Naval Research (ONR) to build a toolset that will enable DoD and commercial organizations to more easily retrofit legacy systems. The toolset aims to minimize the attack surface and optimize existing software for new environments without requiring vendor cooperation or source code.
For the Verified Debloating and Delaying (VADD) project, Galois is leading a project team that includes SRI International, Stanford University, and the University of Iowa. Galois will be responsible for overall technology development, primarily focused on restructuring compiled applications.
“Today it is very difficult for DoD and other government agencies to retrofit an existing system due to vendor lock-in and the costs and complexities of systems which can take decades to rebuild,” said Dr. Joe Hendrix, principal researcher at Galois. “The goal of VADD is to build a toolset that supports efforts by the Office of Naval Research to adapt systems to meet emerging threats.”
The project team will build a toolset for application debloating and delayering that produces optimized binaries from inputs given as existing binaries or source-compiled LLVM bytecode. The solution will integrate formal verification techniques to provide assurance that optimized programs preserve the semantics of the input program. VADD seeks to provide DoD greater flexibility in retrofitting existing systems or building new systems in a modular fashion.
The project will also address the verification and validation challenge of ensuring that transformations do not unintentionally change program behavior, and provide evidence-based formal assurance that the results are correct.
The VADD toolkit will be suited for individuals focused on securing software and operating it for an extended period of time, and who want the technical ability to modify it without re-building from scratch. While DoD applications are an initial focus, the project team believes there will be, over time, commercial applications for system integrators, automotive and other sectors.
Source: Galois
By 
