2D Polyglots

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Advanced computing and software The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws. OBJECTIVE: Develop polyglots (dual embedded formats) for existing 2-dimensional codes (e.g., QR codes) that enable high-bandwidth, secure data transfer. Assess potential security vulnerabilities in polyglot approaches. DESCRIPTION: DoD employees are interacting with physical-cyber data transfers at an ever-increasing rate; simply walking through an airport might require scanning 2-dimensional (2D) codes numerous times to receive basic goods and services, such as food menus and flight boarding passes. One of the most prevalent types of 2D codes is Quick Response (QR) code originating in 1994 from a Japanese automotive company. With the widespread adoption of mobile phones, QR codes have become a standard to store and transfer data in a physical format. The convenience that QR codes provide comes with certain limitations, such as the amount of data it can store and a balance between usability and security. 2D codes (e.g., QR codes, Data Matrix, MaxiCode, PDF417) are designed and optimized for a specific task; for example, data matrix codes used by shipping are fast to scan, however they only store 1.55kb of data as compared to 3kb for QR v4. 2D codes are often represented pictographically as part of printed media, such as a menu in a restaurant. They have low data density as a result of error correction and robustness to environmental effects (e.g., scratches). To increase the data density, preserve the inherent optimizations of each format, and ensure backwards compatibility, this study will investigate combining formats into 2D polyglots. In this context, a polyglot is a format that is valid in multiple computer programs. Polyglots are possible by combining two or more formats, each of which are able to be interpreted by multiple programs as having a valid format, for example, a file which is both a picture and a PowerPoint presentation. This study will investigate the effects that 2D polyglots have in QR codes and their potential to reduce the attack surface and increase data density. A basis of confidence that polyglots can exist in 2D codes is the known, trivial case of a 2D code imbedded in another 2D code [D14]. For more than a decade it has been widely known that current 2D codes have inherent vulnerabilities [D15, F19, K10]. Usability was heavily favored over security in the design of these codes. This imbalance led to a widely adopted standard with pervasive vulnerabilities. Attacks can take advantage of error correction algorithms and data sparsity to exploit 2D formatting assumptions and the inconsistences which software makes when interpreting a 2D code. For example, standard QR codes have orientation markers and data is only parsed in one direction; polyglot QR codes can contain multiple, non-conflicting formats that can be read independently based on approach direction.Finally, to ensure current systems and software can still be used, any enhancements to the SOTA must also be backwards compatible. Introducing new software and standards would inevitably have new and possibly unintended effects on security and efficiency. PHASE I: This topic is soliciting Direct to Phase II (DP2) proposals only. Proposers interested in submitting a DP2 proposal must provide documentation to substantiate that the scientific and technical merit and feasibility described above have been met and describe the potential commercial applications. DP2 documentation should include: • Technical reports describing results and conclusions of existing work, particularly regarding the commercial opportunity or DoD insertion opportunity, and risks/mitigations, and assessments; • Presentation materials and/or white papers; • Technical papers; • Test and measurement data; • Prototype designs/models; • Performance projections, goals, or results in different use cases; and, • Documentation of related topics such as how the proposed SUP solution can enable more realistic cyber training. This collection of material will verify mastery of the required content for DP2 consideration. DP2 proposers must also demonstrate knowledge, skills, and ability in networking, computer science, mathematics, and software engineering. For detailed information on DP2 requirements and eligibility, please refer to the DoD BAA and the DARPA Instructions for this topic. PHASE II: The goal of 2D Polyglots is to develop a QR code that can hold more data while maintaining backwards compatibility and to identify vulnerabilities present in current 2D codes.DP2 proposals should propose a research design to achieve the following goals: • Develop a protype system to demonstrate feasibility for producing 2D polyglots in a platform independent language (e.g., python 3.0, Golang); • Identify vulnerabilities and possible mitigations in 2D and 2D polyglot codes; • Detail a test plan, complete with proposed metrics and scope, for verification and validation of the system performance. Phase II will culminate in a system demonstration using one or more compelling use cases consistent with commercial opportunities and/or insertion into a DARPA program. The below schedule of milestones and deliverables is provided to establish expectations and desired results/end products for the Phase II effort. • Month 1: Phase I Kickoff briefing (with annotated slides) to the DARPA Program Manager (PM) (in person or virtual, as needed) including: any updates to the proposed plan and technical approach, risks/mitigations, schedule (inclusive of dependencies) with planned capability milestones and deliverables, proposed metrics, and plan for prototype demonstration/validation. • Months 3, 4, 5: Quarterly technical progress reports detailing technical progress made, tasks accomplished, major risks/mitigations, a technical plan for the remainder of Phase II (while this will normally report progress against the plan detailed in the proposal or presented at the Kickoff briefing, it is understood that scientific discoveries, competition, and regulatory changes may all have impacts on the planned work and DARPA must be made aware of any revisions that result), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 6: Interim technical progress briefing (with annotated slides) to the DARPA PM (in-person or virtual as needed) detailing progress made (include quantitative assessment of capability developed to date), tasks accomplished, major risks/mitigations, planned activities, and technical plan for the second half of Phase II, the demonstration/verification plan for the end of Phase II, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 7, 8, 9: Quarterly technical progress reports detailing technical progress made, tasks accomplished, major risks/mitigations, a technical plan for the remainder of Phase II (with necessary updates as in the parenthetical remark for Months 4, 7, and 10), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 10/Final Phase II Deliverables: Final architecture with documented details, demonstrating diagnosing a malicious activity and unauthorized modification on software/hardware; documented application programming interfaces; any other necessary documentation (including, at a minimum, user manuals and a detailed system design document; and the end of phase commercialization plan). PHASE III DUAL USE APPLICATIONS: The Phase III work will be oriented towards transition and commercialization of the developed 2-D Polyglots technologies. The proposer is required to obtain funding from either the private sector, a non-SBIR Government source, or both, to develop the prototype software into a viable product or non-R&D service for sale in military or private sector markets. Phase III refers to work that derives from, extends, or completes an effort made under prior SBIR funding agreements, but is funded by sources other than the SBIR Program. Outcomes have the potential to significantly benefit the DoD and numerous commercial entities by improving knowledge of 2D codes including capabilities and vulnerabilities. Specifically, in the DoD space, 2D Polyglots technologies will be able to provide new data transfer methods utilizing 2D codes and highlight any potential vulnerabilities in current 2D codes used across the DoD enterprise. The development of polyglot technologies will have security benefits across the defense industrial base (DIB). REFERENCES: 1. Dabrowski, A., Krombholz, K., Ullrich, J. and Weippl, E.R., 2014, November. QR inception: Barcode-in-barcode attacks. In Proceedings of the 4th ACM workshop on security and privacy in smartphones & mobile devices (pp. 3-10). 2. Dabrowski, A., Echizen, I. and Weippl, E.R., 2015, May. Error-correcting codes as source for decoding ambiguity. In 2015 IEEE Security and Privacy Workshops (pp. 99-105). IEEE. 3. Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M. and Weippl, E., 2010, November. QR code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). 4. Focardi, R., Luccio, F.L. and Wahsheh, H.A., 2019. Usable security for QR code. Journal of Information Security and Applications, 48, p.102369. KEYWORDS: Information assurance, computing and software technology, electro-optical sensors, cybersecurity, authentication, confidentiality, QR codes, Data Matrix, PDF417, MaxiCode, and 2D codes.