INGOTS aims to speed up identification and remediation of vulnerabilities using near-full automation
Jun 23, 2023
It's no secret that developers and cyberspace defenders must accurately understand risks within software and hardware to maintain a robust security posture. Today, sophisticated cyberattacks link multiple vulnerabilities to bypass security measures and compromise critical, high-value devices. Yet, often critical vulnerabilities go unfixed as resources are allocated to less significant issues.
That is because today’s metrics fail to capture numerous nuanced factors that differentiate a harmless software flaw from a potent vulnerability. Without accurate methods to measure the exploitability of a particular vulnerability, developers and defenders must rely on empirical evidence to assess its severity and prioritize it for remediation. Such evidence requires time and costly resources and is often insufficient or incomplete, especially for vulnerabilities within complex systems.
DARPA’s Intelligent Generation of Tools for Security (INGOTS) program aims to identify and fix high-severity, chainable vulnerabilities before attackers can exploit them. INGOTS will pioneer new techniques driven by program analysis and artificial intelligence to measure vulnerabilities within modern, complex systems, such as web browsers and mobile operating systems.
"In an attack paradigm where exploitability depends on the emergent behavior of vulnerability combination, risk depends on understanding the complex relationships between neighboring vulnerabilities," said Perri Adams, INGOTS program manager in DARPA's Information Innovation Office. "Rather than develop a fully automatic process, we want to create a computer-human pipeline that seamlessly allows human intervention in order to fix high-severity vulnerabilities before an attack."
Successful INGOTS research will improve software and hardware resiliency of pervasive commercial devices by rapidly identifying and prioritizing their most dangerous flaws.
INGOTS is a three-year program with two phases. Phase 1 will focus on exploring, designing, developing, and demonstrating tools and techniques. Phase 2 will focus on maturing and refining these tools and techniques and expanding their coverage across vulnerability and exploitation classes. Each phase will have intermediate meetings, hackathons, and demonstrations and will end with an evaluation in collaboration with government partners.
An INGOTS Proposers Day is scheduled for June 30, 2023. Register to attend in person or virtually at https://creative.gryphontechnologies.com/darpa/i2o/ingots/pd/. The deadline for registration is 5 p.m. ET, June 23, 2023.
A broad agency announcement solicitation with all program details and instructions for submitting proposals is available on SAM.gov at this link: https://sam.gov/opp/7afef7eed5db4ff490971d0667cbaa48/view
Editor’s note: Updated July 8, 2024. The INGOTS program was initially published June 23, 2023. However, during the scientific review process DARPA determined a revised programmatic and technical structure to the INGOTS solicitation was necessary. Access the updated solicitation at https://sam.gov/opp/98406eb5b34641468e25287249077c48/view.
Editor’s note: Updated July 7, 2023, to include an updated Sam.gov link to the broad agency announcement.
Editor’s note: Updated June 26, 2023, to include link to the INGOTS Broad Agency Announcement.
###
Media with inquiries should contact DARPA Public Affairs at outreach@darpa.mil.
Tweet @darpa