DARPA-funded tool could revolutionize software assurance
CAMBRIDGE, MA – Flawed software, the root of most program errors and security vulnerabilities, is a critical enabler of cyber crime. Estimated to cost the global economy $445 billion per year, cyber crime impacts individuals, businesses, and national economies, and it causes devastating consequences for those affected.
Draper Laboratory is developing a solution that automatically detects and repairs software errors and vulnerabilities prior to release of new software programs. Draper’s DeepCode seeks to prevent flaws in software programs such as those created by the Heartbleed bug, which left most Internet users’ private data vulnerable to theft.
“Draper is applying big-data analytics to automatically discover software vulnerabilities,” said Draper President and CEO Kaigham J. Gabriel. “This novel approach attempts to do what neither static nor dynamic testing techniques have been able to accomplish to date—automatically find all known vulnerabilities in binary and source code.”
“DeepCode will examine terabytes of open-source software to learn about the fundamental nature of good and bad code for both government and commercial applications,” explained Brad Gaynor, associate director for Cyber Systems at Draper. “Once trained, DeepCode will analyze new and existing software projects (both binary and source), automatically identify flawed program segments, and recommend code repairs to replace the vulnerable software components with more secure versions,” Gaynor said.
In instances where DeepCode has not previously encountered a particular code segment in the wild, the newly discovered region is analyzed for flawed design patterns mined from the large training set. Even in the rare case that DeepCode encounters entirely novel code, the time required to manually vet a software project would be significantly reduced by limiting offline analysis to the novel region—reducing the software assurance workload by several orders of magnitude.
This program represents the first time deep learning techniques, a set of algorithms that enable software to mimic the human brain’s ability to recognize patterns, are being applied to analyze software structure and semantic content. In an earlier study, Draper’s DeepCode team used deep learning analytics to successfully identify synthetic Advanced Persistent Threats from within large volumes of otherwise benign network traffic. The specific type of neural network used in the study is being repurposed for Draper’s DeepCode engine.
Draper is developing DeepCode under contract to the U.S. Air Force Research Laboratory and the Defense Advanced Research Projects Agency (DARPA) in support of DARPA’s Mining and Understanding Software Enclaves (MUSE) program. Draper’s cybersecurity work with DARPA also includes the High Assurance Cyber-Military Systems (HACMS) program, where Draper provides the voice of the offense as the Government’s prime contractor for red team and penetration testing. In addition to normal penetration testing, Draper is developing unique tools using formal methods to detect and pinpoint vulnerabilities in machine code. The approach is scalable and will allow the U.S. Government and commercial companies to formally verify the absence of vulnerabilities in real-time cyber-physical systems.