DARPA Working on Provably Secure Embedded Software

DARPA is working on a new kind of software that is provably secure for specific properties.

DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it.  That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”

She did not specify when the system would be ready or any details on the security properties it is being built for.

Prabhakar mentioned the new secure software system as one of the advanced projects that the agency is working on to help secure a variety of systems and platforms. DARPA focuses on ideas that can help secure the global Internet as well as corporate networks, individual PCs and embedded systems, and Prabhakar said that a key piece of that is the Cyber Grand Challenge, a competition that is meant to help produce new technologies that can secure those systems. The challenge begins next year and will conclude at DEF CON in 2016, and Prabhakar said DARPA has put together a purpose-built operating system and environment for the competition.

“It’s a separate environment with a new OS. We’re creating a league of their own for machines to fight it out,” she said.

There are 90 teams registered for the competition, which requires entrants to build systems that can compete in a massive capture the flag style contest without any human interaction. The $2 million top prize has attracted some top academic and industry teams, Prabhakar said, and the hope is that the contest will produce technology that can help defend networks against the high-speed attacks that are part of the modern threat landscape.

“We want to get to where we can do cybersecurity defense at machine speed. Attacks are happening in microseconds, not at the rate that you can type on your keyboard,” Prabhakar said. “We’re looking for a fundamentally different way to fight the threat.”

Prabhakar said that even DARPA, with all of its resources, technical expertise and experience, struggles to find the best way to address the security problem.

“We’re trying to wrangle with this problem while the information explosion is continuing. The moon shot for cyber, in my view, is to find techniques that scale faster than this explosion,” she said. “This is incredibly technically challenging and challenging from a policy perspective.”

Suggested articles

st. ambrose catholic parish fraud email scam

BEC Hack Cons Catholic Church Out of $1.75 Million

An Ohio parish lost a whopping $1.75 million after attackers breached two employees’ email accounts – and then tricked other employees into sending wire transfers to a fraudulent bank account.

Discussion

  • Terse_Russell on

    Maybe they just prove that their code doesn't accept the word "password" as a remote login password :) I would be more interested in a proof that any sufficiently complex system can not be proven to be un-hackable.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.