You are here

Third Party Verification of COTS Compliance with Requirements (VeriCoR)

Award Information
Agency: Department of Defense
Branch: Defense Advanced Research Projects Agency
Contract: W31P4Q-22-C-0005
Agency Tracking Number: D2D-0170
Amount: $1,490,668.47
Phase: Phase II
Program: SBIR
Solicitation Topic Code: HR001121S0007-08
Solicitation Number: HR001121S0007.I
Timeline
Solicitation Year: 2021
Award Year: 2022
Award Start Date (Proposal Award Date): 2021-11-22
Award End Date (Contract End Date): 2024-02-23
Small Business Information
1855 First Ave, 103
San Diego, CA 92101-2650
United States
DUNS: 828934914
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Ulrich Lang
 (650) 515-3391
 ulrich.lang@objectsecurity.com
Business Contact
 Ulrich Lang
Phone: (650) 515-3391
Email: ulrich.lang@objectsecurity.com
Research Institution
N/A
Abstract

There is currently an explosion of the adoption of embedded devices (esp. around Internet of Things, IoT). Based on recent incidents related to attacks against industrial sensor and wireless networks, there are concerns about significant risks related to the quality of performance of such devices. Additionally, embedded systems requirements testing is typically currently done at the DevOps stage. However, for purchased third-party COTS devices, the buyer is not part of the DevOps process and is not supported by the testing tool landscape. We propose “VeriCoR” (Third Party Verification of COTS Compliance with Requirements), a solution for automated analysis of embedded devices with support for Human-in-the-Loop (HITL) operation. The goal of the current system is to achieve outstanding levels of coverage for both device specifications and operator usability, with as much automation as possible. At its heart, our system is driven by a novel Domain Specific Language (DSL) which acts as a bridge between the operator and low-level implementation of instruments performing binary analysis. The analysis results from lifting operations where binaries are made available in formats including Intermediate Representation (IR), Intermediate Language (IL), Assembly (ISA), and high-level programming language (C). In these forms, and relative to platforms including Ghidra and S2E, lifted binary becomes available for analysis in static and dynamic forms. We have previously identified the ability for static analysis to meet code quality, code inclusion, and library import quality standards and specifications. We have previously demonstrated these functions to be fully automated with a binary input and explicit specification of strings, patterns, and dates to include as constraints. As a dedicated cybersecurity company, ObjectSecurity has over 20 years’ experience in evaluating static code representations for security-related specifications and 15 years of experience encoding security policies and specifications in middle and high-level Domain Specific Languages (DSLs). Our proposal is intended to analyze COTS testbed devices covering a variety of industrial use cases as previously carried out for Navy and DoD initiatives. We present novel experimentation, testing, and validation methodologies (including using Artificial Intelligence and Machine Learning, AI/ML) that will be incorporated for advanced analysis and feedback features to benefit automation and accuracy of fielded systems. Our solution will support a range of operator expertise, from novice to experts, with dedicated DSL IDE support and reporting features including rendering capabilities to concise textual, verbose/auditable textual, and visual/graphical outputs. Additional features are outlined to support functional prototype development and support for APIs, customizable device specifications, independent validations, and future enhancements

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government