DARPA HACMS program for a software without pervasive vulnerabilities

Technology in modern warfare has assumed a crucial role, every government is developing new cyber capabilities to be able to contrast and prevent cyber threats the fifth domain of warfare, the cyberspace.

Today the concept of warfare is profoundly changed, many states choose to attack foreign governments exploring new technological options, from state-sponsored cyber attacks to large use of Unmanned Aerial Vehicle (UAV) on the battle field for espionage and offensive purposes. Just drones are largely used for military purposes and many news have reported the possibility to hack their control system exactly as any other computer, this opportunity is the principal target of many researches conducted by cyber units all over the world.

These sophisticated weapons seems to be affected by a “pervasive vulnerability”, according Defense Advanced Research Projects Agency, that exposes them to the concrete risks of hijacking. The concept of “pervasive vulnerability” is widely discussed and it’s subject of deep study, the weakness affects also SCADA systems, vehicles, medical devices, Computer peripherals and communication devices.

The patch management for this category of vulnerabilities, especially in military sector, is very complex, fix a bug present in the control system of a UAC is need in majority of cases the re-certifying for the entire aircraft. A patch need a long series of tests to avoid the introduction of further vulnerabilities in the system fixed.

Which are the main cause for the presence of such critical vulnerabilities?

Dr. Kathleen Fisher, a Tufts University scientist and a program manager at the DARPA, is sure that the problem is related to the design of control algorithms that appears to be written in a fundamentally insecure manner. Fisher is conducting a project, dubbed High-Assurance Cyber Military Systems, or HACMS,  having a four-year effort and an estimated cost of $60 million with the purpose of define an innovative and secure practice of coding.

The program is desribed on DARPA web site with following statements:

“The High-Assurance Cyber Military Systems (HACMS) program seeks to create technology for the construction of systems that are functionally correct and satisfy appropriate safety and security properties,” explained, Kathleen Fisher, DARPA program manager. “Our vision for HACMS is to adopt a clean-slate, formal method-based approach to enable semi-automated code synthesis from executable, formal specifications.”

In addition to generating code, HACMS seeks a synthesizer capable of producing a machine-checkable proof that the generated code satisfies functional specifications as well as security and safety policies. A key technical challenge is the development of techniques to ensure that such proofs are composable, allowing the construction of high-assurance systems out of high-assurance components.

Drones control systems, SCADA systems and medical devices share the possibility to be victim of a cyber attacks such as a malware infection, event such as Stuxnet case and the various news on hijacking of drones remind us that hackers could exploit these complex systems to the leak of secure coding.

Fisher during a presentation of her study declared:

“Many of these systems share a common structure: They have an insecure cyber perimeter, constructed from standard software components, surrounding control systems designed for safety but not for security,”

But it’s known, the perfect code it’s hard to realize, and need a long and complex work that involve high skilled personnel, to give an idea of the complexity for code validation and its analysis let’s remind that one group of researchers in Australia has checked the core of their “microkernel” composed by 8,000 lines of code with a workload of 11 persons for one year, it’s an amazing time if we consider the time to market of military devices and the overall complexity of any component of a vehicle.

The overall project will have a duration of  4.5 years split into three 18-month phases and is composed of 5 Technical Areas (TAs)

• TA1 – Military Vehicle Experts
• TA2 – Formal Methods and Synthesis for OS Components
• TA3 – Formal Methods and Synthesis for Control Systems
• TA4 – Research Integration
  • Sub-area 1: Formal-Methods Workbench
  • Sub-area 2: Integration of High-Assurance Components
• TA5 – Red Team

 

 

 

Government is interested to the definition in military sector of  tools and formal methods-based techniques to develop secure control algorithms for the creation of secure defense vehicles. The final control algorithms will be tested on various defense vehicles such as Rockwell Collins drones, Boeing helicopters and Black-I-Robotics ground robots, but the project is more ambitious, it has as final goal the definition of “a software that can write near-flawless code on its own”.

Reading the presentation of the HACMS program I was attracted by the Technical Area 5: Red Team (“Voice of the Offense”) that includes the static and dynamic assess security of the targeted vehicles. The phase also include a specific task on attacks based on injection of arbitrary code in the systems and the providing of  bogus values to the sensors of the vehicle. These were the most dangerous type of attacks observed until now, the program is also interested to preserve mission objectives from hacker attacks that could reveal sensible information during a conflict such as goal of the mission (e.g. reconnaissance or bombing), the locations of the troops on the territory and final targets of the attacks.

The deliverables of HACMS will be a set of publicly available tools integrated into a high-assurance framework, which will be distributed for use in both the military and commercial software sectors, the purpose is to promote these tools to generate, high-assurance and open-source operating system and control system components.

 

 

If the project will works it could represents a turning point in history, we will be able to design drones not attacked by hackers, we are very close to creating the perfect machine, and in this case what are the ethical implications related to human control in the decision-making loop of these vehicles?

Is it really possible the hypothesized scenario, is this our real goal?

Pierluigi Paganini