• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Security
  • DARPA HACMS program for a software without pervasive vulnerabilities

DARPA HACMS program for a software without pervasive vulnerabilities

Pierluigi Paganini January 02, 2013

Technology in modern warfare has assumed a crucial role, every government is developing new cyber capabilities to be able to contrast and prevent cyber threats the fifth domain of warfare, the cyberspace.

Today the concept of warfare is profoundly changed, many states choose to attack foreign governments exploring new technological options, from state-sponsored cyber attacks to large use of Unmanned Aerial Vehicle (UAV) on the battle field for espionage and offensive purposes. Just drones are largely used for military purposes and many news have reported the possibility to hack their control system exactly as any other computer, this opportunity is the principal target of many researches conducted by cyber units all over the world.

These sophisticated weapons seems to be affected by a “pervasive vulnerability”, according Defense Advanced Research Projects Agency, that exposes them to the concrete risks of hijacking. The concept of “pervasive vulnerability” is widely discussed and it’s subject of deep study, the weakness affects also SCADA systems, vehicles, medical devices, Computer peripherals and communication devices.

The patch management for this category of vulnerabilities, especially in military sector, is very complex, fix a bug present in the control system of a UAC is need in majority of cases the re-certifying for the entire aircraft. A patch need a long series of tests to avoid the introduction of further vulnerabilities in the system fixed.

Which are the main cause for the presence of such critical vulnerabilities?

Dr. Kathleen Fisher, a Tufts University scientist and a program manager at the DARPA, is sure that the problem is related to the design of control algorithms that appears to be written in a fundamentally insecure manner. Fisher is conducting a project, dubbed High-Assurance Cyber Military Systems, or HACMS,  having a four-year effort and an estimated cost of $60 million with the purpose of define an innovative and secure practice of coding.

The program is desribed on DARPA web site with following statements:

“The High-Assurance Cyber Military Systems (HACMS) program seeks to create technology for the construction of systems that are functionally correct and satisfy appropriate safety and security properties,” explained, Kathleen Fisher, DARPA program manager. “Our vision for HACMS is to adopt a clean-slate, formal method-based approach to enable semi-automated code synthesis from executable, formal specifications.”

In addition to generating code, HACMS seeks a synthesizer capable of producing a machine-checkable proof that the generated code satisfies functional specifications as well as security and safety policies. A key technical challenge is the development of techniques to ensure that such proofs are composable, allowing the construction of high-assurance systems out of high-assurance components.

Drones control systems, SCADA systems and medical devices share the possibility to be victim of a cyber attacks such as a malware infection, event such as Stuxnet case and the various news on hijacking of drones remind us that hackers could exploit these complex systems to the leak of secure coding.

Fisher during a presentation of her study declared:

“Many of these systems share a common structure: They have an insecure cyber perimeter, constructed from standard software components, surrounding control systems designed for safety but not for security,”

But it’s known, the perfect code it’s hard to realize, and need a long and complex work that involve high skilled personnel, to give an idea of the complexity for code validation and its analysis let’s remind that one group of researchers in Australia has checked the core of their “microkernel” composed by 8,000 lines of code with a workload of 11 persons for one year, it’s an amazing time if we consider the time to market of military devices and the overall complexity of any component of a vehicle.

The overall project will have a duration of  4.5 years split into three 18-month phases and is composed of 5 Technical Areas (TAs)

  • TA1 – Military Vehicle Experts
  • TA2 – Formal Methods and Synthesis for OS Components
  • TA3 – Formal Methods and Synthesis for Control Systems
  • TA4 – Research Integration
    • Sub-area 1: Formal-Methods Workbench
    • Sub-area 2: Integration of High-Assurance Components
  • TA5 – Red Team

 

 

HACMS

 

Government is interested to the definition in military sector of  tools and formal methods-based techniques to develop secure control algorithms for the creation of secure defense vehicles. The final control algorithms will be tested on various defense vehicles such as Rockwell Collins drones, Boeing helicopters and Black-I-Robotics ground robots, but the project is more ambitious, it has as final goal the definition of “a software that can write near-flawless code on its own”.

Reading the presentation of the HACMS program I was attracted by the Technical Area 5: Red Team (“Voice of the Offense”) that includes the static and dynamic assess security of the targeted vehicles. The phase also include a specific task on attacks based on injection of arbitrary code in the systems and the providing of  bogus values to the sensors of the vehicle. These were the most dangerous type of attacks observed until now, the program is also interested to preserve mission objectives from hacker attacks that could reveal sensible information during a conflict such as goal of the mission (e.g. reconnaissance or bombing), the locations of the troops on the territory and final targets of the attacks.

The deliverables of HACMS will be a set of publicly available tools integrated into a high-assurance framework, which will be distributed for use in both the military and commercial software sectors, the purpose is to promote these tools to generate, high-assurance and open-source operating system and control system components.

 

ExampleOpenSourcePlatforms

 

If the project will works it could represents a turning point in history, we will be able to design drones not attacked by hackers, we are very close to creating the perfect machine, and in this case what are the ethical implications related to human control in the decision-making loop of these vehicles?

Is it really possible the hypothesized scenario, is this our real goal?

Pierluigi Paganini


facebook linkedin twitter

cyber capabilities cyber warfare DARPA Drones HACMS malware pervasive vulnerabilities pervasive vulnerability SCADA state-sponsored cyber attacks stuxnet

you might also like

Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more
Pierluigi Paganini July 22, 2025
Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT