N23A-T009   TITLE: DIGITAL ENGINEERING - Generalizable Tactical Software AI/ML-informed Debloating

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Artificial Intelligence (AI)/Machine Learning (ML); Cybersecurity

OBJECTIVE: Develop capability that leverages artificial intelligence and machine learning (AI/ML) technologies to debloat tactical software to reduce support costs, improve run-time stability, and reduce cybersecurity vulnerability.

DESCRIPTION: Much modern software suffers from "bloat" that negatively impacts its maintenance costs, performance, and security. Commercial software tries to address wide audiences and focuses on programmer productivity, resulting in software with many indirections, libraries, and layers of abstraction. Government entities have not historically incentivized industry to produce minimal code bases, sometimes even basing funding on the number of source lines of code (SLOCs). Compounding this state of affairs, Naval Control Systems (NCSs) are built and upgraded over extended periods of time, resulting in systems containing tens of millions of SLOCs.

Exploratory research at the Naval Undersea Warfare Center has determined that significant bloat can be removed from these complex control systems. One impact of this bloat is cost associated with supporting excessive binary executable sizes. A more troubling consequence of software bloat is instability in the run-time tactical system. The presence of exploitable attack surfaces in the bloat within code is a third problem. Finally, excessive bloat has a commensurate impact on cost and time to perform system testing. As testing rarely exercises the total system, excessive SLOCs and binary executable sizes increase the likelihood of "escaped bugs," software problems that are not seen until after system fielding. Escaped bugs require heroic measures to fix.

State-of-the-art research studies by subject matter experts in academia outline the approaches that can be taken to de-bloat and harden software systems. Yet there are few, if any, commercial programs to automatically de-bloat and harden software systems, due to commercial emphasis on productivity and software reuse.

The Naval Undersea Warfare Center (NUWC) has experimented with debloating tactical code, demonstrating the utility of such an effort. However, the exploratory debloating process conducted by NUWC was labor-intensive and tailored, making this sort of debloating cumbersome and unaffordable in the context of envisioned Continuous Integration/Continuous Delivery (CICD) capability fielding. The NUWC manual-intensive process seems amenable to being automated by use of AI/ML. Based on NUWC�s success, the Navy seeks a solution to develop a generalizable tactical software debloating capability informed by AI/ML.

There are multiple metrics for software debloating. The first metric is the number of SLOCs reduced or decreased in binary file size, as there can be some benefit to sheer reduction in the total system size. However, it has been shown that this quantity is misleading because debloat tools that perform hardening are often expected to increase the overall file sizes by including additional protections for cyber-resiliency. The second metric is the quality of bloat removal, where the bloat that has been removed substantially improves system stability and reduces cybersecurity vulnerabilities. For example, past research has used as a metric "code reuse gadget count reduction", which measures the difficulty for an attacker to mount a gadget-based code reuse exploit such as return-oriented programming (ROP). However, realistic debloating scenarios have shown that even high gadget count reduction rates can fail to limit an attacker�s ability to construct an exploit and may even introduce new quality gadgets [Ref 2]. Thus, the quality of debloat metric should use "functional gadget set expressivity" and "special purpose gadget availability" to assess the utility of the gadgets available to the attacker rather than the quantity, as calculated using the Gadget Set Analyzer (GSA). The technology sought would have a threshold requirement of decreased functional gadget set expressivity and special purpose gadget availability by 10% relative to the untouched tactical system. The security metrics would identify the reduction in unique attack surfaces associated with bloat. Finally, the performance metric would characterize the improved performance associated with debloating as a modification to tactical computational time and memory usage. Similar metrics are expected to be derived for container, Linux kernel, and firmware debloat.

PHASE I: Develop a concept for a generalizable debloating capability powered by AI/ML. The concept must demonstrate feasibility to reduce the bloats in code, with potential to reduce attack surfaces and improve software quality according to the parameters in the Description. Feasibility will be demonstrated through analysis and modeling. The Phase I effort can be demonstrated on unclassified software the company feels is analogous to the complexity level of the target USW systems. The Phase I Option, if exercised, will include the initial design specifications and capabilities description to build a prototype solution in Phase II.

PHASE II: Develop and deliver a prototype generalizable debloating capability powered by AI/ML for testing and evaluation based on the results of Phase I. Demonstrate that the prototype meets the parameters in the Description. The technology will be assessed over the course of Phase II by Navy software subject matter experts (SMEs) knowledgeable about the investigative effort to debloat Navy software.

PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use. The final product will consist of a capability to debloat tactical software that leverages AI/ML to minimize the tailoring and labor that can be associated with a manual debloating approach.

The resultant technology will be used during system integration and production by the prime contractors producing Undersea Warfare Systems such as AN/SQQ-89A(V)15 and AN/UYQ-100. The generalized technology developed could also be used for debloating any complex software system, such as information technology systems, and critical infrastructure systems such as power generation, water purification, and healthcare delivery.

REFERENCES:

1.       Alhanahnah, M., Jain, R., Rastogi, V., Jha, S., & Reps, T. (2021). Lightweight, Multi-Stage, Compiler-Assisted Application Specialization. arXiv preprint arXiv:2109.02775. Online: https://doi.org/10.48550/arXiv.2109.02775

2.       Brown, Michael D. and Santosh Pande. "Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating." arXiv:1902.10880v3. https://doi.org/10.48550/arXiv.1902.10880

3.       Bruce, B. R., Zhang, T., Arora, J., Xu, G. H., & Kim, M. (2020, November). Jshrink: In-depth investigation into debloating modern java applications. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 135-146). Online: https://dl.acm.org/doi/abs/10.1145/3368089.3409738

4.       Casinghino, C., Paasch, J.T., Roux, C., Altidor, J., Dixon, M., & Jamner, D. (2019, May 28). Using Binary Analysis Frameworks: The Case for BAP and angr. NASA Formal Methods https://doi.org/10.1007/978-3-030-20652-9_8

5.       Christensen, J., Anghel, I. M., Taglang, R., Chiroiu, M., & Sion, R. (2020). DECAF: Automatic, Adaptive De-bloating and Hardening of COTS Firmware. Proceedings of the 29th USENIX Security Symposium (pp. 1713-1730). Virtual: USENIX. doi:978-1-939133-17-5. Online: https://www.usenix.org/conference/usenixsecurity20/presentation/christensen

 

KEYWORDS: Continuous Integration/Continuous Delivery; CICD; source lines of code; SLOCs; software debloating; cybersecurity vulnerabilities; instability in the run-time tactical system; artificial intelligence and machine learning; AI/ML

---