Government agencies and the military rely upon many kinds of Commercial Off-the-Shelf (COTS) commodity Information Technology (IT) devices, including mobile phones, printers, computer workstations and many other everyday items. Each of these devices is the final product of long supply chains involving many vendors from many nations providing various components and subcomponents, including considerable amounts of software and firmware. Long supply chains provide adversaries with opportunities to insert hidden malicious functionality into this software and firmware that adversaries can exploit to accomplish harmful objectives, including exfiltration of sensitive data and sabotage of critical operations.
Organizations often attempt to manage supply chain risk indirectly by investigating manufacturers and their business relationships, currently no accurate and cost-effective technical means exist for large enterprises to directly examine the software and firmware commodity IT vendors provide with every individual new device and update. In fact, a common perception among government and industry alike is that the problem of enterprise-scale vetting of the software and firmware on COTS IT devices is so difficult that it is unapproachable.
DARPA created the Vetting Commodity IT Software and Firmware (VET) program to address the threat of hidden malicious functionality in COTS IT devices. VET’s goal is to demonstrate that it is technically feasible to determine that the software and firmware shipped on commodity IT devices is free of broad classes of hidden malicious functionality. The program supports the White House’s 2009 Comprehensive National Cybersecurity Initiative, which specifically named developing a “multi-pronged approach for global supply chain risk management” as a key national security goal.
Specific VET program objectives include:
These three advances in combination would give government agencies a new capability: the ability to gain confidence in the software and firmware on their commodity IT devices by directly examining the devices themselves, rather than reasoning about their provenance.
You are now leaving the DARPA.mil website that is under the control and
management of DARPA. The appearance of hyperlinks does not constitute
endorsement by DARPA of non-U.S. Government sites or the information,
products, or services contained therein. Although DARPA may or may not
use these sites as additional distribution channels for Department of
Defense information, it does not exercise editorial control over all of
the information that you may find at these locations. Such links are
provided consistent with the stated purpose of this website.
After reading this message, click to continue