You are here

Data Sandboxing for Software Binaries

Award Information
Agency: Department of Defense
Branch: Defense Advanced Research Projects Agency
Contract: 140D6318C0079
Agency Tracking Number: D173-003-0067
Amount: $149,903.08
Phase: Phase I
Program: SBIR
Solicitation Topic Code: SB173-003
Solicitation Number: 2017.3
Timeline
Solicitation Year: 2017
Award Year: 2018
Award Start Date (Proposal Award Date): 2018-05-02
Award End Date (Contract End Date): 2019-02-01
Small Business Information
531 Esty Street
Ithaca, NY 14850
United States
DUNS: 603978321
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Denis Gopan
 (607) 273-7340
 gopan@grammatech.com
Business Contact
 Derek Burrows
Phone: (607) 737-7340
Email: dburrows@grammatech.com
Research Institution
N/A
Abstract

Data-rich applications, such as web servers, web browsers, and document editors, are inherently vulnerable to non-control data attacks, i.e., attacks that exploit memory corruption vulnerabilities to leak or corrupt sensitive data. We propose Dobby, a tool that statically transforms software binaries to integrate run-time checks ensuring illicit data flows caused by memory corruption errors in the program cannot be used to compromise integrity and confidentiality of the programs data. To minimize the impact of dynamic checking on software runtime, the tool will apply protections heterogeneouslystronger, and thus more expensive, protections will be used to secure the data that is security-sensitive, while low-cost, coarse sandboxing will protect the rest of the data. Additionally, Dobby will detect and isolate private data contexts in data-rich applications (e.g., independent requests handled by a web server or pages visited by a web browser). Dobby will be able to protect COTS and legacy binaries, for which source code is typically not available. In case there is access to buildable source code, the tool will provide the capability for leveraging compile-time information for added accuracy and efficiency.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government