GrammaTech to develop security system for AFRL

October 4, 2010 − GrammaTech has been awarded a multi-year, $12.9M contract focused on improving software security. GrammaTech will lead the development and demonstration effort, working with subcontractors Raytheon Company, the University of Virginia School of Engineering and Applied Science, and the Georgia Institute of Technology; this team brings together world-class expertise in software analysis, security, and development. The effort is part of the Securely Taking On New Executable Software of Uncertain Provenance (STONESOUP) program, an initiative of the Intelligence Advanced Research Projects Activity (IARPA) Office of Safe and Secure Operations and administered by the Air Force Research Lab (AFRL).

STONESOUP seeks to address a key problem in today’s world: How can we use software securely if we do not know how or by whom the software was created, or where its component parts originated? Software is produced around the world; component parts come from many different places and are integrated into larger systems. The production of software increasingly involves contract software engineers and off-shore suppliers because it is often prohibitively expensive to generate a major system completely in-house. Accordingly, security-conscious users require ways to assure that the software they utilize performs no malicious actions. GrammaTech, Raytheon, the University of Virginia, and the Georgia Institute of Technology will combine state-of-the-art technologies that together will make a significant contribution to solving this problem.

According to Tim Teitelbaum, GrammaTech’s co-founder and CEO, “Application software is rarely subject to rigorous analysis; this lack of quality control is complicated by the fact that software producers can issue updates and fixes at a rate faster than present processes can evaluate their effects. In concert with our partners, we intend to advance automated techniques for software analysis, to combine them with methods for confining software execution so that known weaknesses cannot be exploited, to diversify software components so that residual vulnerabilities will be more difficult for attackers to discover or exploit, and to remediate software components with automatically-generated and evaluated software patches.”

Development and Demonstration Efforts
GrammaTech will apply its deep expertise in source and machine code analysis to discover and remediate software problems through static analysis and automated, high-coverage testing. GrammaTech will provide both program-analysis technology and research expertise. GrammaTech’s Dr. David Melski, an expert in static and run-time analysis, will be the principal investigator for this effort.

Researchers at the University of Virginia School of Engineering and Applied Science (led by Professors Jack Davidson and John Knight) will contribute expertise in translation of running software and runtime detection of memory errors, as evident in their Strata and MEDS tools; these technologies monitor running programs. Researchers at the Georgia Institute of Technology (led by Professor Wenke Lee) will build on their Secure In-VM Monitoring technology, which both reduces a program’s vulnerability to attack and confines the effects of software exploits. A group at Raytheon Company (led by Tom Bracewell) will provide large-scale integration capability and apply the integrated system to real-world applications.

The IARPA-sponsored project is an example of GrammaTech's growing success in applying its core technologies in program analysis of both source and machine code to improve safety, security, and robustness of desktop and embedded software.

About GrammaTech
GrammaTech’s static-analysis tools are used worldwide by startups, Fortune 500 companies, educational institutions, and government agencies. The staff includes twelve PhDs working on automated program analysis. The company has headquarters in Ithaca, NY.