Vulnerabilities / Threats
12/3/2012
11:48 AM
50%
50%

DARPA Looks For Backdoors, Malware In Tech Products

In the wake of concerns about Huawei and ZTE equipment security, defense research agency seeks help identifying backdoors and malicious capabilities in software and firmware.

Does commercial, off-the-shelf software or hardware contain built-in backdoors to give foreign attackers direct access to corporate or government networks, or pose some other type of information security risk? The Department of Defense wants to find out.

The Defense Advanced Research Projects Agency (DARPA) Thursday published details of its new Vetting Commodity IT Software and Firmware (VET) program, which the agency said is designed to find "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices -- those commercial information technology devices bought by DOD -- to ensure they are free of hidden backdoors and malicious functionality."

DARPA's new program seeks to overcome three current, related technical challenges associated with that task: identifying which capabilities in a device could be malicious; using that list as a checklist to assess if any given device actually is malicious; and then using that knowledge to allow a non-technical expert to test every instance of every device before it gets rolled out in a Department of Defense network.

"DOD relies on millions of devices to bring network access and functionality to its users," said DARPA program manager Tim Fraser in a statement. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

[ Are the Iranians out to get us? See Frankenstory: Attack Of The Iranian Cyber Warriors. ]

The launch of DARPA's new program comes after the U.S. House of Representatives Permanent Select Committee on Intelligence in October 2012 issued a scathing report on Chinese telecommunications companies Huawei and ZTE, saying that they "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." The committee "strongly encouraged" businesses in the United States to look elsewhere for their technology.

That recommendation was not made based on an inspection of either vendors' firmware code, but rather by reviewing the companies' business practices. Still, the report raised a larger and much-more-difficult question: Did the devices actually contain built-in backdoors?

Unfortunately, answering that type of question can be quite difficult, as it necessitates both a complete review of the code base, as well as the ability to surmise which built-in capabilities may be put to nefarious use. Notably, one independent security expert who closely studied two different models of Huawei routers noted that existing bugs in the firmware, seemingly present due to sloppy coding, would have allowed a would-be attacker to compromise the devices, irrespective of any purpose-designed backdoor functionality being present.

DARPA will host a "proposer's day" December 12 in Arlington, Va., to brief anyone who's interested in participating in its new VET program.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:18:34 AM
re: DARPA Looks For Backdoors, Malware In Tech Products
If the DOD is they worried about palate backdoor and other malicious item that will allow access to their systems and cause potential damage, the why not create in house software and hardware to know exactly what is and is not present? As far as the sloppy coding on the routers, we all know human error is the biggest reason for many mistakes. So this is an in house test they are performing on their own machines?

Paul Sprague
InformationWeek Contributor
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/3/2012 | 10:36:38 PM
re: DARPA Looks For Backdoors, Malware In Tech Products
The challenge of securing the federal IT supply chain is well known. (See InformationWeek Government's "Securing The Cyber Supply Chain" report from 2009.) Take that and multiple by a million mobile devices and apps, and you get a sense of what DOD is up against. The challenge is one of A) control [DOD has less of it in the mobile world], and B) unprecedented scale. DARPA acknowledges that, the perception at least, is that "this problem is simply unapproachable." It will be interesting, and not just for the Pentagon, to see what ideas are brought forward. Many large businesses face the same challenge.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-1157
Published: 2015-05-27
CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2)...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?