DARPA looks to address zero-day vulnerabilities in complex software ecosystems

ARLINGTON, Va. Officials at the Defense Advanced Research Projects Agency's (DARPA) Information Innovation Office (I2O) launched the Computers and Humans Exploring Software Security (CHESS) program, which aims to develop capabilities to discover and address zero-day vulnerabilities at a speed and scale appropriate for the continuously growing, complex software ecosystem by enabling humans and computers to collaboratively reason over software artifacts.

The idea of the program is to move away from a manual, human-driven process to one that is based on advanced computer-human collaboration creates opportunities for a broader range of technical–or potentially non-technical–experts to assist in the detection and remediation of known and emerging threats.

aims to speed and scale vulnerability detection in by merging automated program analysis with human-driven insight. Image by DARPA.

“The relatively small number of skilled hackers that exist across industry, government, and academia, combined with the limitations of current automated program analysis capabilities has made it extremely difficult to scale vulnerability detection and remediation to the level needed for today’s software environment,” says Dustin Fraze, the I2O program manager leading CHESS. “Through CHESS, we’re looking to gather, understand, and convert the expertise of human hackers into automated analysis techniques that are more accessible to a broader range of technologists. By allowing more individuals to contribute to the process, we’re creating a way to scale vulnerability detection well beyond its current limits.”

CHESS program officials are seeking innovative proposals across five technical areas. Through these efforts, the program plans to examine novel approaches to rapid vulnerability detection that focus on identifying system information gaps requiring human assistance, generating representations of these gaps appropriate for human collaborators, capturing and integrating human insight into the analysis process, and ultimately synthesizing software patches based on the collaborative analysis.

Under the first technical area, research teams will focus on capturing and analyzing the process expert hackers use to reason over software artifacts–such as source code and compiled binaries. Leveraging the gathered insights, researchers will create a basis for developing new forms of highly effective communication and other human-computer interactions.

Performers working on the second technical area will seek to develop technologies capable of discovering and patching specified vulnerability classes in both source code and compiled binaries. Through the process, they will also identify missing but relevant information to vulnerability analysis–or information gaps–addressable by the human-generated insights found under the first technical area. Research efforts under both of these technical areas will be highly collaborative, as the goal is to create a system for vulnerability detection that is easily understandable by both computers and humans.

“Humans have world knowledge as well as semantic and contextual understanding that is beyond the reach of automated program analysis alone,” said Fraze. “These information gaps inhibit machine understanding for many classes of software vulnerabilities. Properly communicated, human insights can fill these information gaps and enable expert hacker-level vulnerability analysis at machine speeds.”

The third and fourth technical areas focus on creating the testing and evaluation criteria for the collaborative created under the first two technical areas. These areas will look to a pre-determined set of vulnerability classes of interest to create a realistic set of test problems, as well as the current state-of-the-art in vulnerability detection tools and techniques to create a measurement baseline. The final technical area will manage evaluations, integration, and seek to transition the final solution to government and/or commercial partners.

The CHESS program will span one 18-month and two 12-month phases for a total of 42 months. Each phase will focus on increasing the complexity of an application the CHESS system is able to analyze effectively.

Topics covered in this article