DARPA Awards Galois $4.6M for Phase 3 of SafeDocs Program

Galois to Develop Innovative Qualified Parser Generator

The Defense Advanced Research Projects Agency (DARPA) has awarded Galois a $4.6 million contract for the final phase of the Safe Documents (SafeDocs) Program. As part of this contract ($1.25 million), Galois will be partnering with Real-Time Innovations (RTI) and Verocel, Inc. to develop a novel code generator for the Data Distribution Service (DDS™) standard interface description language.1 Inspired by discoveries made during the execution of the DARPA-funded SafeDocs Program, the code generator would allow users to write formats while automatically generating safe parsers and unparsers.

“A huge proportion of security vulnerabilities originate in parsing problems,” explained Galois Principal Scientist Mike Dodds. “We want to make systems that are resistant not just now, but in the future. Until now, developers have had to choose between parsers that are easy to develop but insecure and parsers that are difficult to develop but guaranteed secure. We want to bridge that gap to make safe parsing available to everybody.”

Current parsing technologies generate mostly uncertified code with no guarantee of correctness or safety. Certifying that code—a requirement for many defense and critical industry systems—is also expensive and time consuming.

“Software certification can cost hundreds of dollars per line of code depending upon the level,” said RTI Director of Research Paul Pazandak. “A qualifiable DDS code generator would be a market-first. It would shorten time to system deployment and reduce the cost to certify and to recertify these systems. We look forward to leveraging the advancements from DARPA SafeDocs and collaborating with Galois and Verocel on this effort.”

The SafeDocs project has already developed parser technologies that are safe by design, meaning many types of parser vulnerabilities cannot occur. Now, Galois engineers aim to create a parser generator that is itself qualified. The pre-qualified parsing process will automatically generate code that is guaranteed to be secure, making it dramatically easier to certify than current options. 

The result: rapid development of safe, highly effective parsers, which can enable critical systems to do their job as intended, and nothing more. 

Applications with a Global Impact

This game-changing technological innovation is made possible through leveraging and building from the foundational, problem-solving potential of the DaeDaLus technology tool chain—itself developed within the SafeDocs Program.

“We’re not just re-using the tools that we developed with SafeDocs,” said Dodds. “What we’re doing instead is even more exciting: we’re taking those research ideas and building a system designed for deployment in high assurance environments. Rather than a research tool, we’re building a tool for everyone.”

The potential applications are significant. The DDS technology for which the code generator will be developed and implemented is used all across the globe in industries including aerospace, defense, automotive, energy, and transportation. As SafeDocs enters its final phase, DARPA, Galois, and RTI are actively transitioning the fruits of their labor from the academic to the tangible—deploying their discoveries into the real world. From space missions to electric vehicles and beyond, Galois’s innovations are making system security cheaper, easier, and better than ever before. 

 


1 RTI maintains a suite of DDS-compliant certifiable commercial software, while Verocel brings expertise in qualifying code generators to certification standards including ISO26262 and RTCA DO178C, and helping to certify the first DO178C DAL A DDS product, RTI Connext Cert.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR001119C0076 Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA, and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Government.