At GrammaTech, we spend most of our waking hours researching how to make software more reliable and more secure. This takes shape both in our commercial products division, where we develop CodeSonar®, our static analysis software, and our advanced research division, in which we tackle large global cyber-security concerns for U.S. government agencies and other contractors.
Frequently, these two sides of our company are focused on separate projects. We provide immediate consumer-driven solutions with CodeSonar, while developing longer-range cyber-security solutions in our research department, such as providing the U.S. Navy with an infrastructure for deep visual understanding of their code, or delivering a system to the Air Force to detect malicious code that can harm their systems.
So we’re pleased that this opportunity from DARPA will allow us to combine much of our existing research along with our commercial product, CodeSonar, to create a very advanced new system.
The Cyber Grand Challenge
We’ve been selected by DARPA (the Defense Advanced Research Projects Administration) to participate in its Cyber Grand Challenge, in which over 30 teams from around the world are competing to develop a security system capable of automatically defending against cyber-attacks as fast as they are launched. We are part of a smaller group of seven teams invited and partially supported by DARPA to develop automated network defense technology for the challenge.
The Cyber Grand Challenge is aimed at solving a major cyber-security issue that we are starting to face with alarming frequency – the reliance on expert programmers to uncover and repair weaknesses in an attacked system. Further, only after it has been attacked, and, even further, after hackers have fully taken advantage of these weaknesses to steal data or otherwise impact processes.
Our Plan
Our team includes experts from GrammaTech along with leading researchers from the University of Virginia. We bring an innovative focus to the Cyber Grand Challenge, similar to what we uniquely deliver to the commercial software-development tools market: the analysis of program binaries.
Our system will provide automatic and adaptive protection of a network service (implemented as an x86 binary) and automatically evaluate network defenses by generating proofs of vulnerability. The system includes breakthrough technology for automated analysis, repair, and protection of binaries and an autonomous cyber reasoning component that dynamically adapts, adjusting resource allocation in response to evolving circumstances.
Technology Highlights
Our system for the Cyber Grand Challenge will leverage many innovative technologies developed by our research group, including CodeSonar’s binary analysis technology, and solutions we call PEASOUP and Neptune.
PEASOUP (Preventing Exploits Against Software Of Uncertain Provenance) is a technology developed under IARPA’s STONESOUP program and executed through a collaboration among GrammaTech, the University of Virginia, The Georgia Institute of Technology, and Raytheon. PEASOUP automatically repairs and hardens binaries to prevent attacks. It combines binary analysis, repair, confinement, and diversification to remove or remedy memory-safety, number-handling, command-injection, null-pointer, concurrency, and resource-drain vulnerabilities.
Neptune is currently being developed in collaboration by GrammaTech and Raytheon BBN, in the context of DARPA’s VET program. The goal of this technology is to help U.S. government agencies address the threat of malicious code and hidden “backdoor” access in commodity IT devices. Neptune tackles supply-chain risk-management issues for software and firmware by automatically discovering malicious functionality in such devices. It employs novel techniques for scalable, sound, and precise detection of vulnerabilities in software binaries.
We will update our progress as we compete in the Cyber Grand Challenge, so please look for more information on this blog as the weeks roll on.
PEASOUP is based upon work supported by the United States Air Force under Contract No. FA8650-10-C-7025. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force.
Neptune is based upon work supported by the United States Navy (SPAWAR) under Contract No. N66001-13-C-4046. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Navy.
This blog post has been edited from the original to acknowledge IARPA’s support of PEASOUP.