It is likely every security IT person's nightmare: the new mobile phone, network router or computer they just tied into the network actually has a secret backdoor that lets the malicious users or governments have unfettered access to the company's assets.
That sort of fear is behind a new program researchers at the Defense Advanced Research Projects Agency (DARPA) will discuss on December 12th known as the Vetting Commodity IT Software and Firmware (VET). VET will look to develop systems that can verify the security of commercial IT devices. IT's growing dependence on the global supply chain makes device, software and firmware security an imperative, DARPA stated.
IN THE NEWS: Gartner: Top 10 strategic technology trends for 2013
"Backdoors, malicious software and other vulnerabilities unknown to the user could enable an adversary to use a device to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. Determining the security of every device the Department of Defense uses in a timely fashion is beyond current capabilities," DARPA stated.
According to DARPA, VET will address three technical challenges:
- Define malice: Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?
- Confirm the absence of malice: Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?
- Examine equipment at scale: Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device used by the Department of Defense prior to deployment?
"DoD relies on millions of devices to bring network access and functionality to its users," said Tim Fraser, DARPA program manager in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."
Check out these other hot stories: