N252-079 TITLE: Binary-Level Automated Vulnerability Detection and Patching without Source Code

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Develop innovative approaches to automatically find and fix software vulnerabilities in binaries without source code. The capability should be robust enough not only to identify zero day exploits and vulnerabilities, which can be weaponized for offensive purposes but, also implants (for defense against supply chain attacks) and malware.

DESCRIPTION: Due to the prevalence of programmers copying and pasting code into their projects, or the inclusion of libraries of unknown origin or quality, the security of the software that underpins critical systems is always in question. Because of this, methods to quickly secure new and existing critical software used in the Fleet is needed for all Program Management Activities and Program Executive Offices. Current techniques to secure software involve manual vulnerability discovery and remediation using subject matter experts (SME) and typically requires access to the source code. However, the source code is usually not available for analysis especially for legacy applications, weapon systems, control systems, and communication systems whose software is proprietary. For this SBIR project, the small business awardee will develop novel approaches to automatically perform security assessments on compiled binaries of multiple instruction set architectures to detect known and unknown vulnerabilities (greater than 90% success rate) and automatically develop patches for any found vulnerabilities.

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. owned and operated with no foreign influence as defined by 32 U.S.C. § 2004.20 et seq., National Industrial Security Program Executive Agent and Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Counterintelligence and Security Agency (DCSA) formerly Defense Security Service (DSS). The selected contractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances. This will allow contractor personnel to perform on advanced phases of this project as set forth by DCSA and NAVAIR in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material during the advanced phases of this contract IAW the National Industrial Security Program Operating Manual (NISPOM), which can be found at Title 32, Part 2004.20 of the Code of Federal Regulations.

PHASE I: Determine the technical feasibility of binary level automated vulnerability detection and patching without source code including:

1. Determination of the major challenges and preliminary feasibility of software algorithms.

2. Development of an initial concept design that supports binary level automated vulnerability detection and patching without source code.

The Phase I effort will include prototype plans to be developed under Phase II.

PHASE II: Develop and demonstrate a prototype for binary-level automated vulnerability detection and patching without source code. The prototype deliverables should include:

1. Design and development the algorithms required to perform binary-level automated vulnerability detection and patching without source code.

2. Demonstrate the ability of the prototype to harden vulnerable binary software.

3. A technical roadmap that takes the program through Phase III must be part of the final delivery for Phase II.

Work in Phase II may become classified. Please see note in Description paragraph.

PHASE III DUAL USE APPLICATIONS: Complete final testing, perform necessary integration and transition for use in monitoring operations/applications with appropriate platforms and agencies, and future combat systems under development.

Commercially, this product could be used to enable security monitoring.

REFERENCES:

1. Hicks, K. "Department of Defense Software Modernization Strategy". Department of Defense, 2 February 2022. https://media.defense.gov/2022/Feb/03/2002932833/-1/-1/1/DEPARTMENT-OF-DEFENSE-SOFTWARE-MODERNIZATION-STRATEGY.PDF
2. Gilday, M. M. "Chief of Naval Operations Navigation Plan 2022". Department of the Navy, 2022. https://media.defense.gov/2022/Jul/26/2003042389/-1/-1/1/NAVIGATION%20PLAN%202022_SIGNED.PDF
3. "ICS/OT Cybersecurity Year in Review 2022." Dragos, Inc., 2022. https://hub.dragos.com/ics-cybersecurity-year-in-review-2022
4. Schaad, A. & Binder, D. "Deep-learning-based Vulnerability Detection in Binary Executables". G. V. Jourdan, L. Mounier, C. Adams, F. Sèdes, & J. Garcia-Alfaro (Eds.). Foundations and Practice of Security (FPS), 2022. Lecture Notes in Computer Science, Vol. 13877. Springer, Cham. https://doi.org/10.1007/978-3-031-30122-3_28
5. Wen, M.; Chen, J.; Wu, R.; Hao, D. and Cheung, S. C. "Context-aware patch generation for better automated program repair." Proceedings of the 40th International Conference on Software Engineering, May 2018, pp. 1-11. https://dl.acm.org/doi/10.1145/3180155.3180233
6. "National Industrial Security Program Executive Agent and Operating Manual (NISP), 32 U.S.C. § 2004.20 et seq. 1993". https://www.ecfr.gov/current/title-32/subtitle-B/chapter-XX/part-2004

KEYWORDS: Source code; binary; vulnerability; Artificial Intelligence; Machine Learning; AI/ML; software; cybersecurity

TPOC 1: Anthony Brescia
301) 342-2094
[email protected]

TPOC 2: Mark Kang
(240) 717-6951
[email protected]

---