Subreption awarded with DARPA Cyber Fast Track contract for next generation dynamic memory defenses

January 2012. Subreption LLC has been awarded with a DARPA Cyber Fast Track contract (under solicitation DARPA-RA-11-52) to research and develop the next generation of proactive defenses designed to deter exploitation of security vulnerabilities related to dynamic memory allocators, in operating system cores and applications.

The DARPA Cyber Fast Track initiative has funded proposals from some of the most prestigious security firms and individuals in the industry, including Duo Security and Immunity Federal Services, among others. It is the first program of its kind, created by the US government to fund novel research and improve the state of the art in security for the US defense community. Participants are allowed to retain intellectual and commerce rights to their ideas, contrary to previous initiatives of similar nature in the private sector.

Subreption has a strong focus on developing cutting edge security technologies, with past projects including KERNHEAP, a revolutionary set of security mitigations for the Linux kernel, HIPSMAC, a host-intrusion prevention system for Apple Macintosh Tiger and Leopard which never made it out of the skunk works lab and US National Security Agency’s Security-Enhanced Linux (SELinux) memory permissions enforcement support.

DARPA is funding Subreption to research the current state of affairs related to dynamic memory allocators in open source operating systems, including Linux and BSD variants, to develop pragmatic defenses against vulnerabilities such as kernel and application heap buffer overflows, as well as determining the impact and feasibility of protecting proprietary systems and prevent or thwart future advances from an adversarial perspective.

Expected protections include meta-data integrity assurance, runtime verification, cache randomization and prevention of post-release data accesses and information leaks. While a definitive protection is unrealistic in the arms race of defensive-offensive security disciplines, we believe our work will impact the landscape of vulnerabilities significantly, raising the bar for adversaries exploiting dynamic memory flaws.

Subreption intends to develop a commercial product and services for Linux/Unix and proprietary software vendors from the private sector, while providing the community with advances and publications to increase awareness about dynamic memory security and novel concepts to protect modern operating systems.

Subreption awarded with DARPA Cyber Fast Track contract for next generation dynamic memory proactive defenses R&D

Approved for Public Release, Distribution Unlimited.

The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.