You are here

Developing A Robust Software Assurance Tools for Cyber Security

Description:

 
 

TECHNOLOGY AREA(S): Electronics

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 5.4.c.(8) of the solicitation.

OBJECTIVE: The ubiquitous nature of modern computing requires an arsenal of security tools and techniques. One of the more powerful techniques is the employment of Automated Tools. While many Automated Tools exist they are unfortunately weak in many critical aspects such as forcing a tradeoff between large numbers of false positives and false negatives, failure to identify deliberately injected malicious code, and lack of breadth of coverage, including and a failure to account for many aspects of computing hardware such as hardware accelerators. This topic seeks to develop a set of robust Automated Tools for the modern heterogeneous computing systems following both active and passive security paradigms to address the shortcomings above which are intrinsic to existing technologies. The Automated Tools proposed will provide software security at development and deployment stages for both custom and integrated Commercial-Off-The-Shelf systems.

DESCRIPTION: The current set of Automated Tools available for the security professional have a number of advantages such as speed and volume of coverage [1] [2]. However, these advantages come at a cost which includes limited breadth of scope, over specialization, and a complete ignorance of modern computing hardware designs – e.g. hardware accelerators such as the Graphics Processing Unit (GPU) [3] [2] [4]. Additionally, current software assurance scanning technologies result in finding lists which are largely incomplete (many false negatives), or which contain many false positives requiring large amounts of human analysis to triage.

Therefore as part of mission critical cybersecurity we solicit for the development of a more robust and powerful set of Automated Tools for the modern computing system. This proposal seeks to develop a set of robust Automated Tools for the modern heterogeneous computing systems following both active and passive security paradigms to address the shortcomings above which are intrinsic to existing technologies. The Automated Tools proposed will provide software security at development and deployment stages for both custom and integrated Commercial-Off-The-Shelf systems.

PHASE I: Develop a white paper or prototype which documents a process for developing a robust Automated Tools set for modern computing systems that will provide cybersecurity. The proposed solution shall follow both active and passive design/implementation paradigms that employ automated interface testing for Commercial Off The Shelf (COTS) and machine learning methodologies across distributed and shared heterogeneous architecture environments [5].

The active design model will be defined by real-time testing to detect vulnerability to known hacking techniques, malicious code variants, and interfaces to insecure COTS components using powerful machine learning algorithms to detect intentional and unintentional secure coding issues. This type of analysis would leverage dynamic testing techniques to find exploitable vulnerabilities. The passive design model of this proposed Automated Tools set will be defined by uncovering deliberately injected malicious code logic including the detection of specialized types of malicious code such as GPU-Assisted malware in already developed software applications.

PHASE II: Develop a working prototype, based on the selected Phase I design which demonstrates capabilities of a robust Automated Tools for Cyber Security.

The proposed solution shall provide a higher level of cybersecurity for the developer and security professional. The ability of Automated Tools to actively recognize potential malicious code and logic techniques as the system is developed will provide critical security throughout the Software Development Lifecycle (SDLC), which will significantly reduce costs [2]. By finding potential vulnerabilities earlier in the lifecycle, rather than through problem reports after systems are fielded, sustainment costs can be drastically reduced, and system readiness drastically enhanced. The recognition of the potential for malicious attack via the GPU has far reaching benefit for security as well, given the high number of systems that now routinely incorporate such devices in their architectures [4].

PHASE III DUAL USE APPLICATIONS: In conjunction with Army, optimize the prototype created in Phase II. Implement a Robust Software Assurance Tools for Cyber Security solution for test and evaluation, using commercially available technologies. The implementation should ensure that the system is interoperable with existing system of systems. Perform steps required to commercialize the system.

REFERENCES:

  • Klocwork, "Developing Software in a Multicore and Multiprocessor World," Ottawa, ON, 2010.
  • G. McGraw, Software Security: Builiding Security In, Addision-Wesley Professional, 2006.
  • "Comparative Study of Risk Management in Centralized and Distributed Software Developement Environment," Scientific Internation (Lahore), vol. 26, no. 4, pp. 1523-1528, 2014.
  • G. Vasiliadis, M. Polychronakis and S. Ioannidis, "GPU-Assisted Malware," International Journal of Information Security, vol. 14, no. 3, pp. 289-297, 2015.
  • M. Atighetchi, V. Ishakian, J. Loyall, P. Pal, A. Sinclair and R. Grant, "Metronome: Operating System Level Performance Management via Self-Adaptive Computing," in Proceedings of the 49th Annual Design Automation Conference, 2012.
  • D. Quinlan, C. Liao, T. Panas, R. Matzke, M. Schordan, R. Vuduc and Q. Yi, "ROSE User Manual: A Tool for Building Source-to-Source Translators," Lawrence Livermore National Laboratory, Livermore, CA, 2015.

KEYWORDS: Cyber Security, Automate, ROSE, Commercial Off The Shelf (COTS), malicious, vulnerabilities, Graphics Processing Unit (GPU), General Programming for GPU (GPGPU), Software Development Lifecycle (SDLC)

 

US Flag An Official Website of the United States Government