Description:
TECHNOLOGY AREA(S): Electronics, Information Systems
OBJECTIVE: Define new cyber techniques and develop technologies for automatically generating and injecting realistic vulnerabilities into large code bases for the purpose of testing and evaluating cyber security tools and capabilities, and to enable novel pedagogical tools such as customized capture- the-flag competitions.
DESCRIPTION: There is a critical DoD need for improved cyber defensive capabilities. The evaluation of cyber defensive security mechanisms is difficult and ad hoc. To compare the efficacy of different techniques, tools and technologies, analysts typically rely on synthetic benchmarks that either present a sample of existing vulnerabilities or a potpourri of synthetic test cases. Given the limited availability of such benchmarks, cyber security mechanisms tune their techniques to ensure success (high precision and recall). Ideally, evaluation should rely on automated mechanisms that can systematically inject realistic vulnerabilities into arbitrary software programs with enough understanding of the underlying computation to guide the evaluation of a wide range of security mechanisms (e.g., dynamic verses static analysis techniques). To achieve such program understanding, a combination of techniques may be necessary. For example, targeted symbolic execution may be used to discover program paths that could be used to generate vulnerabilities (e.g., integer overflows). The programs paths (i.e., symbolic constraints) could then be modified using information from formal methods (e.g., using SMT solvers) to generate and inject new code, at the source-level or binary-level, that is provably vulnerable (e.g., the system can prove that the generated conditions along a specific program path can lead to an integer overflow). The code may then be obfuscated, using previously learned bug patterns, to appear similar to native vulnerable code. Goal-directed branch enforcement may be used to select only the relevant conditions required to reach a specific program path.
PHASE I: Conduct a feasibility study to determine innovative cyber techniques and mechanisms that are capable of automatically generating and injecting realistic vulnerabilities to real-world applications written in C or C++. Design, prototype, and evaluate a concept system for automatic generation and insertion of vulnerability test cases using a single vulnerability class (e.g., integer overflows) and support a small set of vulnerability hiding techniques (e.g., masquerade as incomplete integer overflow). The Phase I final report shall include a test methodology and success criteria for the technology.
PHASE II: Further develop the initial Phase I results to expand the scale of code that can be ingested, increase the number of vulnerability classes supported, and develop additional hiding techniques. The prototype will support multiple techniques for testing the efficacy of vulnerability detection techniques (e.g., add non-fix point loops for static analysis tools, crypto for symbolic execution engines, input checks against fuzzing). Support of at least one additional language (e.g., Java) will be explored, with initial proof-of-concept capability developed. Demonstrate the resulting prototype in accordance with the success criteria developed in Phase I. The Phase I final report shall include test results and a software prototype.
PHASE III DUAL USE APPLICATIONS: The commercial sector has concerns with the effectiveness of their cyber defensive capabilities and understands the requirement for security mechanisms that can automatically be tuned and aid in the evaluation of their cyber defensive technologies, tools, and systems to provide an effective defense against their cyber enemies. Commercial benefits include increased cyber warfare protection of critical infrastructure environments (e.g., nuclear, electrical, transportation, etc.). As part of Phase III, the developed system should be transitioned into an enterprise level tool that can be used to evaluate third-party vulnerability detection mechanisms. The DoD and the commercial world have similar challenges with respect to maintaining the integrity of their cyber computing and communications infrastructure. Thus, the resulting cyber security techniques and technologies are directly transitionable to the DoD for use by the services within the laboratory environment (e.g., Space and Naval Warfare Systems Center (SSC) Pacific's Combined Test Bed) or a simulated operational environment.
KEYWORDS: Cyber defensive security mechanisms; realistic vulnerability injection; automatically tunable cyber mechanisms; test and evaluation; cyber defense.
