You are here

Automatic Detection and Patching of Vulnerabilities in Embedded Systems

Award Information
Agency: Department of Defense
Branch: Defense Advanced Research Projects Agency
Contract: W31P4Q-14-C-0083
Agency Tracking Number: D2-1303
Amount: $1,500,000.00
Phase: Phase II
Program: SBIR
Solicitation Topic Code: SB131-003
Solicitation Number: 2013.1
Timeline
Solicitation Year: 2014
Award Year: 2014
Award Start Date (Proposal Award Date): 2014-05-19
Award End Date (Contract End Date): 2017-05-17
Small Business Information
531 Esty Street
Ithaca, NY 14850
United States
DUNS: 603978321
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Denis Gopan
 Senior Scientist
 (607) 273-7340
 gopan@grammatech.com
Business Contact
 Mr. Derek Burrows
Title: program manager
Phone: (607) 273-7340
Email: dburrows@grammatech.com
Research Institution
N/A
Abstract

Recent studies have shown that embedded systems are extremely vulnerable to security attacks. Some published exploits include remote hijacking of the electronic systems in a modern car and using IP phones and smart televisions to perform covert surveillance of their owners. In this project, we are building a system that removes known vulnerabilities from embedded software and adds protections to prevent exploits of undiscovered vulnerabilities; by integrating with vulnerability detection technology, we will largely automate vulnerability patching, although without formal specifications, some human review will be necessary. Our system uses static rewriting of the software binaries either prior to or after deployment and will integrate with and complement other GrammaTech tools developed under various DoD contracts.The proposed system will operate directly on software binaries, even in the absence of source code or symbol information, applying both to newly developed software and legacy software. The system will be retargetable to different instruction sets to accommodate a variety of embedded systems platforms. To ensure that added protections do not break the functionality of a program, the proposed system will verify that the rewritten program is semantically equivalent to the original program, except for the corrected flaws.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government