Researchers ask industry for information security measures to safeguard legacy software from cyber attacks

ARLINGTON, Va. – U.S. military information security researchers are asking industry to find new ways of hardening large legacy software systems from potential cyber attacks.

Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) released a broad agency announcement on Tuesday (HR001123S0028) for the Compartmentalization and Privilege Management (CPM) project.

DARPA CPM seeks to develop a set of analysis tools, hardware, and software infrastructure automatically to segment large legacy software systems into performant limited-privilege fine-grained compartments that prevent initial penetrations from turning into successful cyber attacks. The project involves automated compartmentalization, privilege enforcement, and evaluation support.

A successful cyber attack typically involves a sequence that moves from initial system penetration to privilege escalation and lateral motion, to a full-scale cyber attack.

Related: U.S. Space Force reaches out to industry for electronic surveillance and communications satellite payloads

An initial penetration seeks to increase the attacker’s privilege level, and then and to enable lateral movement within the compromised system. Ultimately, the attacker’s goal is to use the unauthorized privileged access to locate and exfiltrate sensitive information or to disrupt normal operations.

Traditional defenses against cyber attacks have focused on keeping an attacker out and eliminating exploitable bugs in code. The CPM program focuses instead on blocking privilege escalation and lateral movement -- even if there has been an initial penetration.

CPM technology will provide the capability to restructure a system into one that would prevent such campaigns from moving beyond their initial penetration.

Related: The sensor- and signal-processing challenges of electronic warfare

The first phase of the CPM program will use the open-source Linux operating system as the target for testing and evaluation. The second phase will focus on applying the tools and capabilities to securing applications like web browsers, web servers, database management systems.

CPM is divided into three technical areas: automated compartmentalization; privilege policy enforcement; and evaluation support. A new solicitation for a fourth technical area, DOD system experimentation, is anticipated prior to Phase 2.

Companies interested should upload abstracts no later than 18 April 2023 and full proposals by 6 June 2023 to the DARPA BAA website at https://baa.darpa.mil.