CybersecurityPatching Legacy Software Vulnerabilities Rapidly in Mission-Critical Systems
There are a vast number of diverse computing devices used to run the critical infrastructure our national security depends on – from transportation systems to electric grids to industrial equipment. While the amount of deployed vulnerable software is growing exponentially, the effective means of addressing known vulnerabilities at scale are limited. DARPA seeks to develop targeted software patches to rapidly repair legacy binaries in mission-critical systems, while assuring system functionality is not affected.
There are a vast number of diverse computing devices used to run the critical infrastructure our national security depends on – from transportation systems to electric grids to industrial equipment. Much like commercial or personal computing devices, these systems utilize embedded software to execute and manage their operations. To fix certain security vulnerabilities, commercial and personal devices must undergo frequent updates, and are replaced every few years – or on occasion, more frequently when an update fails. Mission-critical systems are built to last for decades, and rarely have the same short upgrade cycles. These systems are expensive to develop and hard to replace, and as they become increasingly connected for the purposes of maintenance diagnostics and data collection, this proliferation of connected software is opening them to compromise. While the amount of deployed vulnerable software is growing exponentially, the effective means of addressing known vulnerabilities at scale are limited.
“Patching vulnerabilities in legacy software used by mission-critical systems is a challenge that is only growing in importance and complexity,” said Dr. Sergey Bratus, a program manager in DARPA’s Information Innovation Office (I2O). “Even after a particular flaw is fully understood, and a remediation approach has been developed and expressed as a source code change in the software, a vendor’s ability to produce patches for all of their deployed devices in a timely, assuredly safe, and scalable manner is limited. This results in mission-critical software going unpatched for months to years, increasing the opportunity for attackers.”
DARPA says that today, identifying and remediating software vulnerabilities in legacy binaries requires highly skilled software engineers who are able to make expert assumptions based on what source code samples and/or limited knowledge of the original development environment may be available. The engineers are responsible for understanding the structure of the binary, developing and applying a patch by hand, and then manually analyzing and testing the binary to ensure it works properly. The process is arduous and time consuming with minimal assurances that the system will continue working as intended after the fix is applied. Further, this approach is becoming increasingly untenable as the amount of deployed software continues to grow within mission-critical systems.
