How to Deal with Legacy Software Vulnerabilities

CAMBRIDGE, MA—Government, banks, airlines, the military—nearly every major sector is dealing with old IT that makes resolving issues difficult and fixing vulnerabilities expensive. These old systems are prone to bugs that may cause outages and waste engineering time to fix. Increasingly, the culprit is legacy software, which is software that is no longer supported by the vendor, or software whose original source code is not available.

Draper and Carnegie Mellon University (CMU) are addressing this challenge by developing a capability for rapidly patching legacy software in its original binary form. With the new capability, IT teams will be able to analyze, modify and fix legacy binaries, and produce assured targeted micropatches for known security flaws.

The new capability is designed to address several challenges. Fixing security vulnerabilities in legacy software, for instance, requires patching at the binary level. Manual binary editing, however, is slow and error prone. Additional challenges arise when patched and recompiled binary code changes an IT system’s performance, making recertification difficult and slow.

These limitations and challenges can result in mission-critical software going unpatched for months to years, increasing the opportunity for attackers and the risk of the software becoming noncompliant. For these reasons, it’s crucial to have a patch management solution that can make sure critical aspects of an IT system stay up to date, says Michael Crystal, program manager at Draper.

“Today, software patching is complicated, and the recertification process is largely manual and relies on human evaluators combing through piles of documentation, or assurance evidence, to determine whether the software meets certain certification criteria,” Crystal said. “We want to take the guesswork out of the process and enable the certification to go forward with confidence.”

Funded under DARPA’s Assured Micropatching program, the toolset, called VIBES, which stands for Verified, Incremental Binary Editing with Synthesis, uses program synthesis and constraint programming techniques to compile a source-level patch and insert it into a preexisting binary program. VIBES uses formal verification to prove that only the intended change is made and provides evidence of correct behavior for subsequent recertification or accreditation processes. VIBES underwent development during a series of challenges arranged by the DARPA AMP program in 2021 and 2022.

Micropatches change the fewest possible bytes to achieve their objective, which minimizes potential side effects, and should enable proofs that the patches will preserve the original baseline functionality of the system. With these proofs, the time to test, recertify and deploy the patched system should be reduced from months to days.

“The technologies developed by Draper and Carnegie Mellon University aim to enable professionals to quickly and accurately patch legacy binaries in the deployed software systems upon which their enterprises depend,” says Philip Zucker, Ph.D., senior computer scientist and programmer at Draper. “You can test, package, stage and deploy patches automatically, saving your time and money over limited, manual processes.”

“We’re thrilled that Draper is building on top of the CMU Binary Analysis Platform, a framework we developed and open sourced to enable analysis of programs in the machine code representation,” says David Brumley, a professor in CMU’s department of Electrical and Computer Engineering and a core member of CMU’s CyLab.

Patching is difficult in that manual updates can take a long time. A study by the Ponemon Institute found that more than half of all companies (55 percent) say that when it comes to patching, they spend more time manually navigating the various processes involved than actually patching vulnerabilities. Most companies (61 percent) feel that they are disadvantaged for relying on manual processes for applying software patches.

VIBES was released as an open-source software in February. CMU’s open-sourced software is called Binary Analysis Platform, which was originally released in 2015.

Approved for Public Release, Distribution Unlimited.