Zero dayAccelerating detection of zero-day vulnerabilities

Published 23 April 2018

Today, commercial off-the-shelf (COTS), government off-the-shelf (GOTS), and free and open-source (FOSS) software support nearly all aspects of DoD, military, and commercial operations. Securing this diverse technology base requires highly skilled hackers who reason about the functionality of software and identify novel vulnerabilities. To address the challenges facing our abilities to scale and accelerate vulnerability detection, DARPA last week announced the Computers and Humans Exploring Software Security (CHESS) program.

Today, Commercial off-the-shelf (COTS), government off-the-shelf (GOTS), and free and open-source (FOSS) software support nearly all aspects of DoD, military, and commercial operations. Securing this diverse technology base requires highly skilled hackers who reason about the functionality of software and identify novel vulnerabilities, using a suite of tools and techniques that require extensive training. While effective, the process is largely manual and requires hundreds, if not thousands, of hours of effort for each vulnerability discovered. The use of automated program analysis to support the discovery process has become more prevalent in recent years. However, current automation is limited and only able to reason over a few vulnerability classes without human involvement due to a lack of understanding of certain software semantics and context clues.

DARPA says that to address the challenges facing our abilities to scale and accelerate vulnerability detection, DARPA’s Information Innovation Office (I2O) last week announced the Computers and Humans Exploring Software Security (CHESS) program. CHESS aims to develop capabilities to discover and address zero-day vulnerabilities at a speed and scale appropriate for the continuously growing, complex software ecosystem by enabling humans and computers to collaboratively reason over software artifacts. Moving from a manual, human-driven process to one that is based on advanced computer-human collaboration creates opportunities for a broader range of technical–or potentially non-technical–experts to assist in the detection and remediation of known and emerging threats.

“The relatively small number of skilled hackers that exist across industry, government, and academia, combined with the limitations of current automated program analysis capabilities has made it extremely difficult to scale vulnerability detection and remediation to the level needed for today’s software environment,” said Dustin Fraze, the I2O program manager leading CHESS. “Through CHESS, we’re looking to gather, understand, and convert the expertise of human hackers into automated analysis techniques that are more accessible to a broader range of technologists. By allowing more individuals to contribute to the process, we’re creating a way to scale vulnerability detection well beyond its current limits.”

To achieve its goal, the CHESS program is seeking innovative proposals across five technical areas. Through these efforts, the program plans to examine novel approaches to rapid vulnerability detection that focus on identifying system information gaps requiring human assistance, generating representations of these gaps appropriate for human collaborators, capturing and integrating human insight into the analysis process, and ultimately synthesizing software patches based on the collaborative analysis.

Under the first technical area, research teams will focus on capturing and analyzing the process expert hackers use to reason over software artifacts–such as source code and compiled binaries. Leveraging the gathered insights, researchers will create a basis for developing new forms of highly effective communication and other human-computer interactions.

Performers working on the second technical area will seek to develop technologies capable of discovering and patching specified vulnerability classes in both source code and compiled binaries. Through the process, they will also identify missing but relevant information to vulnerability analysis–or information gaps–addressable by the human-generated insights found under the first technical area. Research efforts under both of these technical areas will be highly collaborative, as the goal is to create a system for vulnerability detection that is easily understandable by both computers and humans.

“Humans have world knowledge as well as semantic and contextual understanding that is beyond the reach of automated program analysis alone,” said Fraze. “These information gaps inhibit machine understanding for many classes of software vulnerabilities. Properly communicated, human insights can fill these information gaps and enable expert hacker-level vulnerability analysis at machine speeds.”

The third and fourth technical areas focus on creating the testing and evaluation criteria for the collaborative human/computer technologies created under the first two technical areas. These areas will look to a pre-determined set of vulnerability classes of interest to create a realistic set of test problems, as well as the current state-of-the-art in vulnerability detection tools and techniques to create a measurement baseline. The final technical area will manage evaluations, integration, and seek to transition the final solution to government and/or commercial partners.

DARPA says that the CHESS program will span one 18-month and two 12-month phases for a total of 42 months. Each phase will focus on increasing the complexity of an application the CHESS system is able to analyze effectively.