Securely Taking On New Executable Software of Uncertain Provenance (STONESOUP)

Software vulnerabilities are a major security problem today. Attackers exploit these vulnerabilities to subvert computers and steal valuable information, to extort funds under threat of system damage or shutdown, or to turn an unwitting user’s computer into a bot, which the attacker can subsequently direct to attack other systems, to distribute spam, or to pursue other purposes the attacker may have.

A large fraction of these vulnerabilities originate in the source or object code of programs rather than in the software design. Yet tools to help an end user determine whether a new program is safe to run or contains exploitable vulnerabilities are largely lacking. Instead, users must typically depend on the provenance of the software they receive: Did it come from a company we trust? Was it developed using a process in which we have confidence? Are the people who built it friendly to us?

The problem with relying on provenance is that software is now developed all over the world and is often assembled out of component parts from many sources, so its origin is uncertain. It is increasingly difficult to know who built a particular software component or system, what their motivations may be, and what process they used in its construction.

This program aims to establish confidence in software based on properties determined by examining the software directly, independent of where it came from or what process was used to develop it.

Evaluating software to assure it has desired security properties is today a cumbersome and labor-intensive process. Current evaluation techniques in support of software system certification often require the creation of extensive documentation that is frequently used only by evaluators. Certification processes might not require examination of source code, where most vulnerabilities are introduced. The machine code that a computer actually executes is rarely subject to rigorous analysis. Further, software producers can issue updates and fixes at a rate faster than current processes can evaluate their effects.

Recently, a market has developed in tools that can automatically detect weaknesses in source or object code programs. However, while current tools show promise, they typically generate reports of weaknesses that are intended for manual review by a software developer or security expert, not an end user. Moreover, these tools produce significant numbers of false positives, greatly magnifying the effort required to triage vulnerability reports, and false negatives, allowing vulnerabilities to slip through the cracks.

The goal of the STONESOUP program is to develop and demonstrate technology that provides comprehensive, automated techniques that allow end users to safely execute new software of uncertain provenance. The envisioned technology will use advanced automated software analysis techniques to identify vulnerabilities or to assure their absence; it will combine the analysis with methods for confining software execution so that identified weaknesses cannot be exploited; and it will diversify software components so any residual vulnerabilities will be more difficult for attackers to discover or exploit. The combination of these techniques can provide true defense-in-depth against attempts to exploit vulnerable software.

Tools that can operate on programs written in common, type-safe languages, specifically C# or Java (source or bytecode), in legacy, harder-to-analyze languages, specifically C or C++, as well as object code programs available only in binary format for x86 (Windows or Linux), are of interest to the program.

IARPA is seeking innovative solutions for the STONESOUP Program. The use of a BAA solicitation allows a wide range of innovative ideas and concepts. The STONESOUP Program is envisioned to begin March 2010 and end by February 2014.


For information contact: