DARPA to hunt for space and time vulnerabilities of software algorithms

The STAC program is looking for techniques to find flaws in algorithms that could leak information or enable denial of service attacks.

In the endless chess game of cybersecurity, the Defense Advanced Research Projects Agency wants to thinks a few moves ahead, with a new program that will search for revolutionary ways to deal with vulnerabilities inherent in software algorithms.

When defensive techniques close off one vulnerability, hackers inevitably move on to the next. They have exploited flawed implementations of algorithms for several years, the agency said, but as implementation defenses improve, hackers will move on to flaws in the algorithms themselves. So the agency’s Space/Time Analysis for Cybersecurity (STAC) program wants to identify vulnerabilities in software algorithms’ space and time resource usage, according to a presolicitation. These vulnerabilities, inherent to many types of software, can be used to carry out denial of service attacks or steal information.

For instance, hackers can deny service to users by inputing code that causes one part of a system to consume space and time to process that input—potentially disabling the entire system. Also, hackers indirectly observing the space and time characteristics of output could potentially deduce hidden information. Adversaries with adequate knowledge of these “side-channels” could then obtain secret information without direct observation.

The primary problem presented by these vulnerabilities is that they are inherent in algorithms themselves, DARPA said. Thus, they cannot be mitigated through traditional defensive techniques.

Instead, the STAC program is looking at new program analysis techniques that could allow analysts to find those vulnerabilities and predict where leaks and denial of service might be possible. These new techniques and tools would enable a methodical search for vulnerabilities in critical government, military and economic software. 

For those tools, the program is looking for scale and speed. With regard to scale, the techniques would have to be capable of handling larger software, ranging from hundreds of thousands to several million lines of source code. They will also have work quickly by increasing precision and reducing the need for manual annotation.

The program will feature four technical areas. The first, TA1, is for the development of the new program analysis tools and techniques. TA2 represents the opposite—performers will create challenge programs with algorithm vulnerabilities built into them that will be used to measure technical progress. The third technical area will involve a control team that will operate alongside the R&D teams to create a baseline comparison. And lastly, TA4 will select an Experimental Lead performer to plan each engagement, manage the event, and collect measurements, according to the solicitation.  

DARPA will hold a Proposers’ Day to familiarize potential participants on the program on Sept. 22, 2014 in Arlington, Virginia. Prior registration is required no later than Sept. 18, 2014.

The final date to respond to the presolicitation is Oct. 28, 2014. Research resulting in evolutionary improvements to the existing state of practice is specifically excluded.