2 minute read
Helping DARPA crush bugs
Sometimes developers accidentally introduce a bug that leaves software vulnerable to attacks. When a company or developer discovers a vulnerability, they provide a fix — or patch — as soon as possible. But there are situations where patching isn’t so straightforward.
“What happens if the software company no longer exists? Who can fix those bugs, and how?” asked Adam Doupé, director of the Center for Cybersecurity and Trusted Foundations.
Critical infrastructure presents another cybersecurity problem. Because it’s critical, there’s a tendency to avoid software security updates since they might disrupt other parts of the system. Many critical infrastructure companies don’t have a way to check that a patch won’t interfere with the system’s function, Doupé said. This update lag leaves them open to ransomware attacks.
ASU began tackling these problems in 2020 when DARPA awarded a four-year contract to the center, which contributed research and development efforts to the Assured Micropatching program. A micropatch is a small patch that fixes one vulnerability without jeopardizing functionality.
The team developed VOLT (a Viscous, Orchestrated Lifting and Translation framework), to reverse-engineer a piece of outdated software. It can take the ones and zeros of a binary program and “translate” them into code that humans can read, and vice versa.
Once developers learn about a program, they can create the smallest patch possible that changes as little in the system as possible. The center’s team also aims to use mathematical proofs to guarantee that a system will still work after the patch is deployed.
This will allow the team to address security issues in the software used in critical infrastructure as well as deployed military equipment for less time and cost.
“I have worked on software reverse engineering for over 10 years, and much to my surprise, no one has created techniques to make effortless binary patching possible,” said Ruoyu "Fish" Wang, the lead investigator of the Assured Micropatching project. “Our VOLT framework, upon success, will be the first of its kind that enables easy bug fixing on deployed software. This capability will mean a lot to both industry and national security.”
