Software Assurance            Software Hardening            Autonomic Computing

DARPA Selects GrammaTech to Detect Denial-of-Service (DoS) Vulnerabilities in Software

GrammaTech awarded contract for DARPA’s Space/Time Analysis for Cybersecurity (STAC) program

ITHACA, NY – GrammaTech, Inc., a leading research center for cybersecurity solutions, announced today that it has been awarded a contract from the U.S. Defense Advanced Research Projects Agency (DARPA) to develop technology to detect Denial-of-Service (DoS) vulnerabilities in software, and other security vulnerabilities based on space and time complexities of the code.

Looking for innovative approaches that would enable revolutionary advances, DARPA has selected GrammaTech to tackle this problem within their Space/Time Analysis for Cybersecurity (STAC) program. The initiative seeks to enable analysts to identify two important classes of security vulnerabilities that are based on the program’s usage of space and time. GrammaTech will build technology to automatically detect these vulnerabilities.

The first type, Algorithmic Complexity Vulnerabilities, allow an attacker to create inputs that can cause excessive resource consumption, frequently used to mount Denial-of-Service (DoS) attacks that disrupt a software application’s responsiveness. DoS attacks have become extremely powerful, most recently targeting GitHub, for example, successfully causing disruption for almost five days.

The second type of vulnerabilities, called Side-Channel Leaks, allow an attacker to infer confidential information by observing software’s usage of time and space. As recently reported by Forbes, researchers are calling this type of attack "the spy in the sandbox," as attackers gain information by spying on physical activity, such as timing information.

GrammaTech’s technology will detect these classes of vulnerabilities in Java bytecode, without requiring access to program source code. Building on its leading static analysis technologies, GrammaTech will also collaborate with leading research universities. Researchers at Yale University will contribute recent breakthroughs in amortized resource-bound analysis, and researchers at the University of Wisconsin-Madison will contribute seminal work in shape analysis, which will enable the combined technology to capture the dependence of resource use on linked data structures.

"DoS attacks on critical national infrastructure are particularly troublesome, for example, the recent attacks (attributed to Iran) on Wells Fargo, Bank of America, Chase, and other banks," said Tim Teitelbaum, GrammaTech’s CEO. "This project, along with other contracts GrammaTech is currently working on with DARPA, is intended to solve a major cybersecurity threat to our nation."

In addition to the STAC program, GrammaTech is working on several large cybersecurity initiatives with DARPA, including the Vetting Commodity IT Software and Firmware (VET) program, Mining and Understanding Software Enclaves (MUSE) program, and Cyber Grand Challenge (CGC). In all of these research initiatives, GrammaTech is able to leverage many innovative technologies previously developed by GrammaTech’s research team, as well as the source-code and machine-code analyses in its commercial products, CodeSurfer and CodeSonar, to push the boundaries of scalability, precision, and automation, ultimately advancing the science of software analysis.

About GrammaTech:
GrammaTech tools are used by software developers worldwide, spanning a myriad of software industries including avionics, government, medical, military, industrial control, and other applications where reliability and security are paramount. Born from research carried out at Cornell University, GrammaTech is now a leading research center for software security and a commercial vendor of software-assurance tools and advanced cybersecurity solutions. With both static and dynamic analysis tools that analyze source code as well as machine code, GrammaTech continues to advance the science of software analysis, providing technology for developers to produce safer and more secure software.