Draper’s CAGE Could Spot Code Vulnerable to Denial of Service Attacks
DARPA-funded cybersecurity effort could also protect against data leaks
CAMBRIDGE, Mass. – Denial of services attacks can cost organizations $40,000 per hour. Attacks that expose financial data, social security numbers, and other confidential information can also damage stakeholder confidence. In just one example, Target’s customer visits dropped to a three year low following the attack that exposed credit card data for 40 million customers.
Draper Laboratory is working with the Defense Advanced Research Projects Agency (DARPA) to help solve this problem with the Complexity Analysis-based Guaranteed Execution (CAGE) tool, which identifies exploitable vulnerabilities within a system that would render it inaccessible by forcing it to attempt computations requiring impractically large amounts of memory space or time. The tool can also help spot vulnerabilities that allow hackers to insert worms that sit quietly on a system and leak data. DARPA awarded a four-year contract for the project to Draper in April under the agency’s Space/Time Analysis for Cybersecurity (STAC) effort.
“People get complacent with firewalls and intrusion detection systems, but perimeter security is insufficient protection against the attacks that hurt companies like Target and Home Depot,” explained Jothy Rosenberg, Draper’s associate director for cyber systems. “Knowing exactly what may be vulnerable within a system is 90 percent of the challenge in preventing these attacks.”
Draper’s work on CAGE draws on expertise that the Lab is applying to other DARPA cyber security projects, including static program analysis and deep learning used to detect flawed software code under the Mining and Understanding Software Enclaves (MUSE) program, and the formal methods that it uses as the voice of the offense as the prime contractor for red team and penetration testing under the High Assurance Cyber-Military Systems (HACMS) effort.
Draper is partnered with RWTH-Aaachen University in Germany and the University of Innsbruck in Austria to take advantage of their research on automated termination systems and complexity analysis, two advanced code analysis techniques that compute the amount of resource that programs can potentially use.