[langsec-discuss] Draper / DeepCode press release

dan at geer.org dan at geer.org
Wed Mar 18 23:51:49 UTC 2015


% lynx --dump http://www.prweb.com/releases/2015/03/prweb12589447.htm


Draper's DeepCode Could Spot, Fix Software Flaws Before Release

   CAMBRIDGE, MA (PRWEB) March 17, 2015

   Flawed software, the root of most program errors and security
   vulnerabilities, is a critical enabler of cyber crime. Estimated
   to cost the global economy $445 billion per year, cyber crime
   impacts individuals, businesses, and national economies, and it
   causes devastating consequences for those affected.

   Draper Laboratory is developing a solution that automatically
   detects and repairs software errors and vulnerabilities prior
   to release of new software programs. Draper's DeepCode seeks to
   prevent flaws in software programs such as those created by the
   Heartbleed bug, which left most Internet users' private data
   vulnerable to theft.

   "Draper is applying big-data analytics to automatically discover
   software vulnerabilities," said Draper President and CEO Kaigham
   J. Gabriel. "This novel approach attempts to do what neither
   static nor dynamic testing techniques have been able to accomplish
   to date--automatically find all known vulnerabilities in binary
   and source code."

   "DeepCode will examine terabytes of open-source software to learn
   about the fundamental nature of good and bad code for both
   government and commercial applications," explained Brad Gaynor,
   associate director for Cyber Systems at Draper. "Once trained,
   DeepCode will analyze new and existing software projects (both
   binary and source), automatically identify flawed program segments,
   and recommend code repairs to replace the vulnerable software
   components with more secure versions," Gaynor said.

   In instances where DeepCode has not previously encountered a
   particular code segment in the wild, the newly discovered region
   is analyzed for flawed design patterns mined from the large
   training set. Even in the rare case that DeepCode encounters
   entirely novel code, the time required to manually vet a software
   project would be significantly reduced by limiting offline
   analysis to the novel region--reducing the software assurance
   workload by several orders of magnitude.

   This program represents the first time deep learning techniques,
   a set of algorithms that enable software to mimic the human
   brain's ability to recognize patterns, are being applied to
   analyze software structure and semantic content. In an earlier
   study, Draper's DeepCode team used deep learning analytics to
   successfully identify synthetic Advanced Persistent Threats from
   within large volumes of otherwise benign network traffic. The
   specific type of neural network used in the study is being
   repurposed for Draper's DeepCode engine.

   Draper's team includes Prof. Andrew Ng, a leading expert in
   machine learning from Stanford University, who founded and led
   the "Google Brain" project, which among other achievements,
   developed deep learning neural networks that learned to recognize
   cats after processing 10,000,000 digital images pulled from
   YouTube videos. Paradigm 4, Inc. rounds out the Draper team,
   providing extensions to its SciDB Data Management and Analysis
   System to support efficient implementations of deep learning
   algorithms.

   Draper is developing DeepCode under contract to the U.S. Air
   Force Research Laboratory and the Defense Advanced Research
   Projects Agency (DARPA) in support of DARPA's Mining and
   Understanding Software Enclaves (MUSE) program. Draper's
   cybersecurity work with DARPA also includes the High Assurance
   Cyber-Military Systems (HACMS) program, where Draper provides
   the voice of the offense as the Government's prime contractor
   for red team and penetration testing. In addition to normal
   penetration testing, Draper is developing unique tools using
   formal methods to detect and pinpoint vulnerabilities in machine
   code. The approach is scalable and will allow the U.S. Government
   and commercial companies to formally verify the absence of
   vulnerabilities in real-time cyber-physical systems.

   Draper Laboratory

   As an independent, not-for-profit engineering research and
   development organization, Draper Laboratory serves the interests
   of clients in fields such as national security, space, biomedical
   and energy. We leverage core capabilities in guidance and
   navigation, information and decision systems, high reliability
   systems, sensors and control, and integrated micro systems to
   deliver fieldable, innovative solutions.

   ...




More information about the langsec-discuss mailing list