Charles River Analytics, a developer of intelligent systems solutions, announces a contract awarded by the Defense Advanced Research Projects Agency (DARPA) to protect commodity IT devices such as printers and phones from cyber attacks. This Broad Agency Announcement contract is part of DARPA’s Vetting Commodity IT Software and Firmware (VET) program and is valued close to $2.4 million over a twenty-five month period, with an option to extend the contract for an additional two years at just under $2.5 million.
The US military uses a large number of IT products, such as printers, scanners, networking devices, PCs, and mobile phones. These devices are built from multiple components that are often built overseas with limited oversight and then shipped to the US. This supply chain provides multiple opportunities for adversaries to insert hidden malicious functionality. VET seeks to address this vulnerability by supporting a Comprehensive National Cybersecurity Initiative from the White House that named a “multi-pronged approach for global supply chain risk management” as a key national security goal.
As part of VET, Charles River is developing a program called How to Avoid Malice Using Linguistics-Inspired Exploit Testing, or HAMLET. HAMLET identifies the potential vulnerabilities that could be exploited or inserted by an adversary and develops effective testing plans to detect these vulnerabilities. HAMLET applies advanced analysis techniques adapted from the field of linguistics, an innovative approach to the problem of vulnerability identification and adversary detection. By developing revolutionary new technologies that analyze the firmware and software in device components, HAMLET aims to drastically reduce the vulnerabilities of IT devices by providing a clear benefit to both military and civilian users of these devices.
“HAMLET seeks to address three key components of the VET program,” explained Catherine Call, Technical Lead for HAMLET at Charles River. “First, we are working with security domain experts to thoroughly understand the kinds of malicious attacks that can be made against commodity IT devices. Second, we are using this knowledge to automatically identify vulnerability combinations or malicious code that might be used by an adversary to attack a particular device and its components. Third, we are developing an efficient testing plan that demonstrates the presence or absence of this malice; this plan minimizes the number of required tests and the amount of time required by human experts to run those tests.”
HAMLET builds on previous Charles River contracts with DARPA, such as the Cyber Genome program. DARPA created the Cyber Genome program to combat the growing threat of cyber attacks on US resources. As part of the program, Charles River developed Malware Analysis and Attribution using Genetic Information, or MAAGI. MAAGI combines ideas and techniques from biological evolution, reverse software engineering, and linguistics to rapidly identify the source and intent of new malware attacks.
MAAGI is used to explore the lineage and relationships of malware
About Charles River Analytics
Since 1983, Charles River Analytics (cra.com) has been delivering intelligent systems that transform our customers' data into mission-relevant tools and solutions to support critical assessment and decision-making. Charles River continues to grow its technology, customer base, and strategic alliances through research and development programs for the DoD and the Intelligence Community, addressing a broad spectrum of mission areas and functional domains, including: sensor and image processing, situation assessment and decision aiding, human systems integration, and cyber analytics. These efforts have resulted in a series of successful products that support continued growth in our core R&D contracting business, as well as the commercial sector. Charles River became an employee-owned company in 2012, to set the stage for the next-generation of innovation, service, and growth.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)