The Defense Advanced Research Projects Agency (DARPA) awarded RTX’s BBN Technologies a contract Thursday that will support the agency’s Compartmentalization and Privilege management (COM) program.
The CPM worker to enhance cyber resilience by automatically subdividing software systems into smaller, secure compartments while will prevent breaches from escalating into full-blown cyberattacks, officials said. With the new contract, RTX BBN Technologies will create an Analysis and Restructuring for Containment (ARC) tool that can hinder unauthorized privilege escalations and lateral movements within software systems. The ARC technology will be engineered to analyze large code bases and construct smaller, secure compartments. Officials said the technology will apply the principle of least privilege to the sub-program level, and ensure only the minimum access necessary is granted to execute code. The approach, officials said, will limit the scope of potential damage in a cyberattack.
“Today’s complex attack surfaces and increasingly sophisticated cyberattacks mean that even a single point of vulnerability can compromise an entire system,” Aaron Paulos, BBN principal investigator, said. “Our solution will enhance the security of critical software systems while preserving performance, which is essential for maintaining operational readiness. The goal is to create compartments that isolate risks, making systems more resistant to cyberattacks.”
According to the U.S. Government Accountability Office, the U.S. Department of Defense experienced more than 12,000 cyber incidents in the years since 2015. The most common attack involved a hacker gaining access to a system and then taking advantage of coding errors that allow them to escalate their system privileges to gain further access into the system.
ARC will build on BBN’s prior work in cybersecurity and software analysis and integrate capabilities that automate program analysis to identify potential threats in software; verify program restructuring to improve security and controls; and automate reasoning to develop effective security solutions.
The BBN-lead team includes Northwestern University, George Washington University and Kestrel Institute. Work on the program will be completed in Cambridge, Mass.; Evanston, Ill.; Washington, D.C.; and Palo Alto, Calif.