Penn State receives part of $4M DARPA grant to detect malicious code in software

Jenny Latchford
November 20, 2013

UNIVERSITY PARK, Pa. -- A team of Penn State and Carnegie Mellon University researchers has received a $4 million Defense Advanced Research Projects Agency (DARPA) grant to develop a program to expose backdoors and hidden malicious functionality on information technology devices.

The four-year grant is for Vetting Whole COTS Systems for Safety Against Malicious Functionality. Trent Jaeger, professor of computer science and engineering, is co-principal investigator and leader of the Penn State effort.

As part of the grant, Penn State will receive $970,000 to focus on examining missing and misplaced authorization checks in commercial off-the-shelf software, or COTS.

The DARPA grant is part of the agency's Vetting Commodity IT Software and Firmware (VET) program designed to address the threat of malicious code.

"(The Department of Defense) relies on millions of devices to bring network access and functionality to its users," said Tim Fraser, DARPA program manager. "Rigorous vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

As part of the effort, Jaeger said, "Penn State will develop methods for inferring missing authorization checks in binary code. Adversaries can take advantage of such flaws by providing inputs that induce vulnerable programs to operate on data in unauthorized ways. The goal is to ensure that each security-sensitive operation is mediated by an authorization check. While mediating operations may appear to be simple enough, what causes a program operation to become security-sensitive is often ambiguous and the placement of authorization checks must satisfy multiple, complex properties to actually enforce an access control policy correctly."

(Media Contacts)

Last Updated January 09, 2015