Pulse

By GCN Staff

Blog archive
Inside a laptop

DARPA targets supply-chain threats in hardware, firmware

Amid growing concerns about malware threats in the IT supply chain, the Defense Advanced Research Projects Agency is looking for ways to test commercial products on a large scale to make sure they’re “clean.”

DARPA has launched the Vetting Commodity IT Software and Firmware (VET) program  to find methods of ensuring that the commercial IT products the Defense Department buys, ranging from smart phones to routers, are free of backdoors, malicious code and other potential threats.

Supply-chain security has come to the fore recently, with a congressional intelligence panel warning that the United States “should view with suspicion” the growth of Chinese telecommunications companies in the U.S. market. A recent report by the Georgia Tech Information Security Center and Georgia Tech Research Institute identified supply chain threats as a serious, and hard to detect, threat.

Back doors, spyware and other malicious code could theoretically be designed into products or added by a manufacturer, vendor or integrator.

DARPA’s VET program wants to test products before they’re installed, which would seem to be a pretty big job.

“DOD relies on millions of devices to bring network access and functionality to its users,” Tim Fraser, DARPA program manager, said in a statement. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”

With VET, DARPA wants to develop a three-step process:

  • Defining malice:  Given a sample device, how can DOD analysts produce a prioritized checklist of software and firmware components to examine and list broad classes of hidden malicious functionality to rule out?
  • Confirming the absence of malice:  How can analysts demonstrate the absence of those broad classes of hidden malicious functionality?
  • Examining equipment at scale:  How can the procedure scale to non-specialist technicians who must vet every individual new device used by DOD prior to deployment?

DARPA will host a proposer’s day Dec. 12 in Arlington, Va., to brief interested participants in the program.

Posted by Kevin McCaney on Dec 04, 2012 at 9:39 AM


Reader Comments

Wed, Dec 5, 2012 earth

Any black box that has memory can count. Any black box that can count can change its behavior after a large number of events happen. Any black box that can change its behavior after a large number of events can defeat any finite testing. Do you know of any IT equipment that has less than 2log(n) nand gates where n is the count at which it changes behavior? (log(n) = 32 for 4 billion tests that use the unknown event) Even if you have a map of every gate in the hardware do you think any system can recognize all the connections and therefore prove something doesn’t have malicious hardware when all it takes is 62 nand gates?

Wed, Dec 5, 2012 earth

Good grief. Three chestnuts from where I grew up apply here: closing the barn door after the cows get out, a penny smart and a dollar foolish, and if you want something done right do it your self. Prove to me one second that a device has “an absence of malice” and you haven’t proven to me that it still has “an absence of malice” one second later. Whether it has a back door or a front door, if it is dynamic it can be put into some state that in some context will be “malicious” and all IT equipment is dynamic. There are two endpoints, not sending data it should and sending data is shouldn’t, between them is a continuum of “malicious” states such as statefully dropping packets or statefully duplicating and rerouting packets or even increasing the error rate by 5% thereby forcing retransmission and bandwidth clogging. What type of test can they apply to a black box to prove all the myriad of “defined malice” is absent and permanently so? Do they really think they can “define malice” in all its forms? That seems a bit supercilious.

So they save a few bucks buying from the lowest bidder and it costs them uncountable effort across the expanse of networks civilian and military to continually test. Instead they should put the effort into creating the equipment themselves. My local government creates its own roads, fresh and black water infrastructure, etc, given the importance of CIA in C3I, military and civilian; the government should produce this infrastructure itself. The AT&T monopoly was a great idea in a time of relative peace but we don’t live in that time anymore. We have treated too many people like enemies to expect them to treat us with integrity. And from what I have seen the last few years that includes “our own” multinationals. The C3I infrastructure should be a government function like agriculture, transportation, EPA etc. Study living systems theory, C3I is essentially half of the functionality of any living system and therefore shouldn’t be left to post acquisition testing. Would you rent your brain from a discount store?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities