By 2025, it is predicted that there can be as many as 100 billion connected IoT devices or network of everyday objects as well as sensors that will be infused with intelligence and computing capability. These devices shall comprise of personal devices such as smart watches, digital glasses and fitness monitoring products, food items, home appliances, plant control systems, equipment monitoring and maintenance sensors and industrial robots. Military is also planning to employ IoT. IoT can serve the warfighter better with more intelligence and more ways to coordinate actions amongst themselves.
The rapid growth in IOT devices, however will offer new opportunities for hacking, identity theft, disruption, and other malicious activities affecting the people, infrastructures and economy. Until very recently hackers had a limited number of vulnerable points of access – computers were protected by anti-virus software, and modems had complex inbuilt security measures. Huge Smart home devices offer more access points than ever before – wireless lights, thermostats, home security sensors, intelligent streetlights, smart meters, and many more. These millions of sensors and devices present a great opportunity for hackers, and a great vulnerability to us all.
Without ample security measures, experts fear that an expanding IoT could create massive vulnerabilities across nearly all technologically-integrated spectrums. With interconnected systems, even one small security gap could create massive ripple effects. The IoT inherently creates billions of insecure new endpoints.
For the Internet of Things (IoT) and other embedded devices, exhaustive enumeration of the systems impacted by a given vulnerability is incumbent upon the device manufacturer. However, code reuse is a common practice in modern software development, and this practice has frequently resulted in the same or similar code existing across not only devices, but manufacturers. This presents a disadvantage for network defenders, as vulnerability disclosures for embedded devices commonly fail to fully articulate their impact.
In order to mitigate this issue, DARPA launched EVADE in Sep 2022 to address the challenge of automatically
determining the exhaustive set of embedded devices impacted by publicly disclosed vulnerabilities, especially those beyond ones enumerated in public disclosures. Specifically, DARPA is seeking dynamic analysis-based approaches to identify the underreporting of Common Platform Enumerations (CPEs) associated with Common Vulnerabilities and Exposures (CVEs) for IoT and embedded devices. Successful proposals will address the challenges of conducting the analysis at scale in the IoT/embedded device ecosystem.
The program seeks breakthrough approaches to various technical challenges, including but not limited to:
• developing efficient algorithms and techniques to support cross-architecture detection of code reuse for programs of arbitrary complexity;
• creating high-fidelity models of IoT and embedded systems;
• address knowledge gaps in IoT and embedded systems software supply chain/software bill of materials (SBOM); and,
• development of scalable analyses which enable the re-identification of semantically-equivalent vulnerable code, even when such code exceeds the bounds of individual subroutines or executables across devices.
Performers will develop novel approaches to automated security assessments, detecting and assessing vulnerabilities extrapolated from a single published vulnerability or exploit. Their solution should scale across device types and instruction set architectures by determining semantically equivalent programs, subroutines, and vulnerable code across multiple devices and architectural frameworks.
Phase II will culminate in a system demonstration incorporating automated dynamic analysis for the recognition of semantically equivalent code across at least eight (8) devices and across two (2) of the instruction set architectures commonly in used in IoT/embedded devices today (e.g., ARM, MIPS, PowerPC).
Primary EVADE support will be to national efforts to develop approaches to improve the cybersecurity of systems and networks making use of IoT/embedded devices. Outcomes have the potential to significantly benefit the DoD and numerous commercial entities by improving knowledge of the software supply chain/SBOM for critical networks and systems. Specifically, in the DoD space, EVADE technologies will improve the cybersecurity posture of Blue and Grey terrain environments; in the commercial space, EVADE technologies will have security applications with the defense industrial base (DIB) entities seeking to improve the vulnerability management capabilities.