In the endless chess game of cybersecurity, the Defense Advanced Research Projects Agency wants to thinks a few moves ahead, with a new program that will search for revolutionary ways to deal with vulnerabilities inherent in software algorithms.
When defensive techniques close off one vulnerability, hackers inevitably move on to the next. They have exploited flawed implementations of algorithms for several years, the agency said, but as implementation defenses improve, hackers will move on to flaws in the algorithms themselves. So the agency’s Space/Time Analysis for Cybersecurity (STAC) program wants to identify vulnerabilities in software algorithms’ space and time resource usage, according to a presolicitation. These vulnerabilities, inherent to many types of software, can be used to carry out denial of service attacks or steal information.
For instance, hackers can deny service to users by inputing code that causes one part of a system to consume space and time to process that input—potentially disabling the entire system. Also, hackers indirectly observing the space and time characteristics of output could potentially deduce hidden information. Adversaries with adequate knowledge of these “side-channels” could then obtain secret information without direct observation.
The primary problem presented by these vulnerabilities is that they are inherent in algorithms themselves, DARPA said. Thus, they cannot be mitigated through traditional defensive techniques.
Instead, the STAC program is looking at new program analysis techniques that could allow analysts to find those vulnerabilities and predict where leaks and denial of service might be possible. These new techniques and tools would enable a methodical search for vulnerabilities in critical government, military and economic software.