DARPA solicitation seeks new methods to stop hacking, data breaches

Worried that hackers can steal sensitive data from web browsers and other apps, DARPA is looking for ways to keep that data secure.

"Applications are increasingly data-rich, yet the security protections available for the most popular platforms do not provide any data controls within the context of a single application," notes the DARPA research solicitation, titled "Mitigating Data-Oriented Application Exploits via Application Data Sandboxing."
In particular, hackers are exploiting memory corruption vulnerabilities to seize control of apps. Despite defensive techniques such as data-execution prevention and control flow integrity, many applications are still vulnerable to data breaches.
DARPA is looking for "a framework for application data sandboxing (or isolation, partitioning, etc.) of data-rich applications that provide data security, both in terms of confidentiality and integrity, thereby preventing or significantly limiting both the modification and disclosure of security-relevant data used by an application."
"The framework should be transparent to the user, not interfere with normal application functionality, not require extensive manual software re-architecting, and should operate with minimal negative performance impact under normal usage of the application," DARPA said. "The approaches taken should, for example, identify security-relevant data, partition the data into appropriately sized groupings of data and the code that may access those data groupings, then enforce the partitioning at runtime."
Phase I of the project will involve a feasibility study and conceptual framework. "The framework should prevent or significantly limit the modification and disclosure of security-relevant data used by an application (e.g., cryptographic keys, passwords, personal and banking information, configuration settings) in the presence of a memory disclosure (or modification) attack," said DARPA.
Phase II will involve a working prototype system that can be used by military organizations such as the Navy's Space and Naval Warfare Systems Center and the Air Force Research Laboratory. While the project is aimed at securing Department of Defense applications, it will also have dual-use utility in civilian critical infrastructure such as health care, transportation and the electrical grid.