You are here

Automatic Detection and Patching of Vulnerabilities in Embedded Systems


OBJECTIVE: Develop innovative techniques to automatically detect and automatically patch vulnerabilities in networked, embedded systems. DESCRIPTION: Embedded systems form a ubiquitous, networked, computing substrate that underlies much of modern technological society. Examples include: supervisory control and data acquisition (SCADA) systems, medical devices, computer peripherals, communication devices, and vehicles. Networking these embedded systems enables remote retrieval of diagnostic information, permits software updates, and provides access to innovative features, but it also introduces vulnerabilities to the system via remote attack. A study by Cui and Stolfo [1] showed that there exist an extensive number of unsecured, embedded, networked devices that are trivially vulnerable to exploitation by remote attackers. Furthermore, a recent report by McAfee Labs [2] predicted that in 2012, industrial threats to SCADA systems and industrial controller systems (ICS) will mature and segment and that embedded hardware attacks will widen and deepen. The state of the practice of security for traditional IT systems is anti-virus scanning, intrusion detection systems, and a patching infrastructure. This approach does not work well in the IT space for a variety of reasons, including its focus on known vulnerabilities and the fact that security code can itself introduce new vulnerabilities. Attempts to port these approaches to embedded systems are unlikely to be any more successful because embedded systems impose additional difficulties, such as, strict resource constraints, hard real-time performance requirements, reliability over long periods of time, and the need for extensive verification and validation before patches can be installed [3]. Currently, only a small amount of research has been dedicated to developing techniques for detecting and patching vulnerabilities in embedded systems [4]. DARPA seeks to develop novel technology for automatically detecting and automatically patching vulnerabilities in networked, embedded systems. The technology should represent practical and effective techniques that can be applied to a wide-range of embedded system platforms. In addition, the techniques should be versatile such that it can be implemented on systems externally networked by various mechanisms, including, Bluetooth, Wi-Fi, radios, etc. In the defense sector, this technology will lead to more secure military systems ranging from unmanned ground, air and underwater vehicles, to weapons systems, satellites, and command and control devices. Manual techniques for detecting and patching vulnerabilities are not within the scope of this topic and should not be submitted for consideration. PHASE I: Develop novel techniques for automatic detection and automatic patching of vulnerabilities in networked, embedded systems. Required Phase I deliverable includes a final report that details the proposed techniques, the level of vulnerability expected to be achieved by the techniques, and the anticipated amount of software development required. PHASE II: Demonstrate that the techniques from Phase I can be practically and effectively applied to any general networked, embedded system connected by any external means, such as, Bluetooth, Wi-Fi, radios, etc. Required Phase II deliverables include all documentation and software for the techniques and a demonstration of the techniques on multiple networked, embedded system platforms. PHASE III: It is envisioned that this technology can be applied to both defense (e.g., unmanned ground, air and underwater vehicles, weapons systems, satellites, and command and control devices) and commercial (e.g., SCADA systems, medical devices, computer peripherals, communication devices, and vehicles) sectors. Develop a commercial service or product of this technology that can be commercialized into the private sector. For example, this technology can be integrated into a larger security software product suite (i.e., McAfee, Symantec, etc.) and would represent a specialized tool that can be applied specifically on networked, embedded systems, as opposed to current security tools designed specifically for traditional IT systems. REFERENCES: 1) A. Cui and S. Stolfo,"A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan", ACSAC, pages 97-106, 2010. 2) McAfee Labs, 2012 Threats Predictions, 3) C. Ebert and C. Jones,"Embedded Software: Facts, Figures, and Software", IEEE Computer Society, pages 42-52, April 2009. 4) A. Cui and S. Stolfo,"Defending Legacy Embedded Systems with Software Symbiotes", The 14th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2011.
US Flag An Official Website of the United States Government