Cyber program from DARPA seeks to harden software security
NewsOctober 14, 2022
ARLINGTON, Va. The Defense Advanced Research Projects Agency (DARPA) has launched what it calls the Hardening Development Toolchains Against Emergent Execution Engines (HARDEN) program, in which it chose teams to create practical tools that will prevent exploitation of integrated computing systems by disrupting the patterns of exploits used by would-be cyber attackers and depriving any attackers of emergent execution engines.
The DARPA HARDEN announcement details the phenomenon colloquially described as “weird machines”; simply translated, the phrase means that a system’s own design and features can accidentally help an attacker operate the system in ways never intended, as unrelated, benign features across the system unwittingly add up to an unexpected or emergent execution engine that is ready to run attackers’ exploits.
Sergey Bratus, HARDEN program manager in DARPA’s Information Innovation Office, said of the program: "Weird machines can provide tremendous advantages to attackers who manage to discover and control emergent behaviors in their targets. HARDEN aims to deny these advantages, by combining ethical hackers' growing understanding of how attackers turn parts of modern computing systems against the whole with the pioneering formal methods and automated software analysis developed with DARPA’s support. It stands to reason that ethical hackers and non-traditional performers play a key role in HARDEN.”
DARPA describes the cyber threat as that of attackers targeting the software that runs when computers boot up so they can dodge security protections before they are activated. This initial software provides the “root of trust” for the rest of the system, which means that compromising these parts of a system destroys its trustworthiness. HARDEN is set to apply its combination of insights gained by collaboration with ethical hackers, mathematical models, and automation to secure the critical root-of-trust parts of systems.
The program will run for 48 months; work performed by HARDEN teams will span several major technical areas, such as developing tools for software developers to account for emergent behaviors and creating models of emergent execution. Several of the participants chosent to serve on HARDEN teams are direct descendants of DARPA’s Cyber Fast Track program and Cyber Grand Challenge, both of which reached out to the ethical-hacking community and helped diversify and grow their ranks.