Risk
12/9/2013
02:18 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

DoD Selects Raytheon And GrammaTech To Develop Binary Analysis Security Tool

Companies to develop tools and techniques to enable organizations to inspect software and firmware inside network-enabled devices

CAMBRIDGE, Mass., (Dec. 9, 2013) — Raytheon BBN Technologies and GrammaTech, Inc. are collaborating on a $4.8 million contract award under the Defense Advanced Research Projects Agency’s VET program. Raytheon BBN Technologies is a wholly owned subsidiary of Raytheon Company (NYSE: RTN)

The VET (Vetting Commodity IT Software and Firmware) program seeks to help U.S. government agencies address the threat of malicious code and hidden “backdoor” access in commodity IT devices. Mobile phones, network routers, computer workstations and other networked devices can be secretly modified to function in unintended ways or spy on users. The funding was awarded Sept. 26, 2013.

Under the program, GrammaTech and Raytheon BBN intend to develop tools and techniques to enable organizations to inspect the software and firmware that exist inside such network-enabled devices and protect them from attack. Raytheon BBN Technologies plans to develop techniques that enable analysts to prioritize elements of software and firmware to examine for hidden malicious functionality.

GrammaTech plans to develop the tools that actually examine the software and firmware to allow analysts to demonstrate that they do not have exploitable security vulnerabilities.

“Our scientists are developing new technology that aims to advance the state-of-the-art for analyzing machine code,” said Tim Teitelbaum, Ph.D., GrammaTech chief executive officer. "We are leveraging these advances to create a tool that could confirm the absence of broad classes of vulnerabilities.”

“The U.S. Department of Defense relies on equipment with components manufactured all over the world,” said Jack Marin, Ph.D., vice president for Cyber Security at Raytheon BBN Technologies. “Any backdoors, malicious code or other vulnerabilities hidden in those components could enable an adversary to do serious damage, including the exfiltration of sensitive data and the sabotage of critical operations. The VET program seeks to enable DoD analysts to vigorously vet software and firmware devices before they are connected to our critical networks.”

About GrammaTech: GrammaTech is the leading developer of software-assurance tools and advanced cyber-security solutions. Originally founded at Cornell University, GrammaTech’s software analysis solutions are used by software developers worldwide, spanning a myriad of industries including avionics, medical, industrial control, and other applications where reliability and security are paramount. With both static and dynamic analysis techniques that analyze source code as well as binary executables, GrammaTech provides superior static analysis for better software. For more about GrammaTech, visit us at www.grammatech.com.

About Raytheon: Raytheon Company, with 2012 sales of $24 billion and 68,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 91 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems; as well as a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at www.raytheon.com and follow us on Twitter @Raytheon.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web