ARLINGTON, Va. – U.S. military researchers are hiring two U.S. companies for a new project to safeguard military trusted computing systems and networks from cyber attacks that exploit unauthenticated or potentially compromised electronic documents sent in a variety of electronic data formats.
Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., announced contracts Wednesday to Galois Inc. in Portland, Ore., and to the Northrop Grumman Corp. Technology Services segment in Herndon, Va. for the Safe Documents (SafeDocs) program.
SafeDocs seeks radical improvements in software's ability to reject invalid and maliciously crafted input data safely, while preserving the look and feel of relatively old electronic data formats. Galois won a $16.5 million DARPA SafeDocs contract, and Northrop Grumman won a collective $1.9 million in a base SafeDocs contract and options.
DARPA researchers want the SafeDocs contractors to build knowledge of electronic document, message, and streaming formats, as well as the nature of their security vulnerabilities to provide cyber attack defenses.
The program will develop verified programming methodologies for building high-assurance parsers for electronic data formats, and ways to comprehend, simplify, and reduce these formats to their safe subsets.
SafeDocs will address the ambiguity and complexity obstacles to the application of verified programming posed by extant electronic data formats.
Electronic documents are ubiquitous and essential to all aspects of modern life, DARPA researchers point out. Individuals and organizations must engage routinely with electronic documents from a variety of unauthenticated or potentially compromised electronic documents and data formats. Even if today's cyber security measures can authenticate the sender, the data itself may come from an untrusted source.
Internet users expect to receive pictures, charts, spreadsheets, maps, audio, and video with a click of a button. Still, the complexity of managing such electronic data makes the recipient software vulnerable to cyber attack. This situation is unsustainable, DARPA experts claim.
To alleviate these kinds of problems, DARPA wants SafeDocs contractors to help restore trust in electronic documents and messages by mitigating one of the root causes of the Internet insecurity epidemic -- the exploitation of software's input-handling weaknesses by complex, maliciously crafted data inputs.
Today’s risks of allowing software to interact with untrusted electronic documents and messages approach those of downloading and running untrusted programs, experts say.
The SafeDocs program will look for ways of assuring that electronic documents are safe to open. The goal is creating computer systems and networks that are more secure and faster to run and test.
The program’s multi-pronged approach will combine extracting de facto syntax of electronic document formats, and identifying a simple syntax subset to verify programming while preserving the document's look and feel. It also will create software construction kits for building secure and verified parsers, as well as translators for converting formats to this subset.
DARPA researchers want to make these parser construction kits available to industry programmers who understand the syntax of electronic data formats but lack the theoretical background in verified programming. These tools will help guide the syntactic design of new formats by making verification-friendly format syntax easy to express.
Galois experts will do their SafeDocs work in Portland, Ore., and should be finished by May 2023. Northrop Grumman's work location and finish date were not specified.