Galois Awarded $16.5 Million DARPA Contracts To Address Electronic Document Vulnerabilities

Pair of contracts for DARPA SafeDocs Program designed to address cyber attacks that exploit security vulnerabilities in electronic documents

Galois today announced it has been awarded a pair of contracts totaling $16.5 million from the Defense Advanced Research Projects Agency (DARPA) SafeDocs program to develop novel defenses to cyber attacks that exploit unauthenticated or compromised electronic documents. The projects will also seek to develop high assurance parsers to enhance data security.

Today, government and commercial organizations rely on the near instantaneous delivery of electronic documents, messages, and other data. As volume has grown, so has the variety of electronic data formats (PDF, Word, Excel, ZIP, PNG, JPG, etc.), challenging organizations not only to verify that electronic information is being shared by trustworthy sources, but also to ensure the software used to process this data has not been compromised. The goal of the DARPA SafeDocs program is to dramatically improve software’s ability to detect and reject invalid or maliciously crafted input data, without impacting the key functionality of new and existing electronic data formats.

Galois has been tasked for two SafeDocs projects focused on reducing the sizable attack surface created across consumer, enterprise, and critical infrastructure systems and to help tackle the threat posed by unauthenticated and potentially compromised electronic data. For Technical Area (TA) 1, Galois aims to develop a more precise and deep understanding of practical formats – which are used to describe the structure of information communicated between programs, including between enterprise end-users via numerous electronic data formats and between Internet of Things (IoT) devices.

For TA 2, Galois aims to develop the Safe PARser Toolkit for Assurance (SPARTA) – a data parsing development toolkit that enables construction of secure, correct, intelligible, and efficient parsers in a domain-specific language designed specifically for parser construction. The SPARTA project will aid the development of parsers because they are ubiquitous in software and act as the gatekeeper between untrusted inputs and privileged internal data. However, parser bugs are a common source of critical security flaws. Currently more than 1,000 open parser bugs have been reported for the popular suite of Mozilla products, for example.

“Electronic documents and data formats that organizations rely on for day-to-day and mission critical operations remain a preferred entry point for cyber attackers intent on exploiting military and commercial systems,” said Dr. Bill Harris, Principal Scientist at Galois. “As methodologies for hacking advance, it will be critical to address potential vulnerabilities at all levels of the systems and stages of development.”

Tha TA 1 team working on format descriptions is led by Galois and includes Princeton University, Real-Time Innovations Inc., Trail of Bits Inc., and Tufts University.

The TA 2 team working on Sparta is led by Galois and also includes Cornell University, Pennsylvania State University, and Purdue University.

For more information on the projects, visit https://galois.com/project/daedalus-and-sparta/

About Galois

Founded in 1999, Galois is a research and development lab that collaborates with commercial, defense, and intelligence organizations to tackle some of the world’s most difficult challenges in computer science. Galois obsesses over the reliability, safety and security of critical systems, and transitions cutting-edge, government-funded research into applied solutions that serve defense and commercial organizations. Galois spin-offs include Tangram Flex (tangraflex.com), Tozny (tozny.com), Formaltech (formal.tech), and Free & Fair (freeandfair.us). For additional information on Galois, visit galois.com.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR0011-19-C-0073. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).