SBIR: Assessing Security of Encrypted Messaging Applications (ASEMA)

OUSD (R&E) critical technology area(s): Cybersecurity

Objective: Secure messaging platforms offer the promise of security, but like all software, they have flaws which are increasingly used by Advanced Persistent Threat (APT) groups to gain malicious access to sensitive communications. With billions of users worldwide, secure messaging applications (SMAs) represent a vulnerable, and ubiquitous, part of the software ecosystem. For most, the decision to transition from the unencrypted communication platforms to SMAs offers a sense of security. However, while the cryptographic protocols used by SMAs have well-understood and well-tested security properties, little has been done to systematically assess the security risks of the applications themselves: the code that interacts with the network and the mobile operating system. This represents an enormous attack surface, remotely reachable by an attacker. APT groups have recognized the malicious potential of such platforms, and the demand for capabilities that exploit SMAs has been steadily rising.

This Defense Advanced Research Projects Agency (DARPA) topic is seeking novel approaches to defend SMAs by modeling their security risks and recommending defensive measures to protect these critical platforms.

Description: SMAs are a class of applications running on mobile devices which are increasingly targeted by malicious attackers, such as APT groups. Not only do they transmit private communications that the user believes to be secure, but SMAs can reduce the security of the mobile device itself: unlike most mobile applications, an attacker only needs a phone number or username to communicate directly with the SMA. The SMAs in wide use today all share similar cryptographic protocols, software architectures and feature sets. To best understand the risks and weaknesses inherent to such applications, this effort will develop models, frameworks, and methods of evaluation to defend SMAs from real-world attack.

While most SMAs invest heavily in securing their cryptographic protocols, less emphasis is given to the security of the software itself. As these applications grow and introduce new features to entice users, their attack surface expands without the security risks being accurately understood. This effort would model the attack surface of SMAs for mobile devices and identify where security boundaries, protections, and mitigations could be introduced. This effort would then develop a framework to assess and ensure the efficacy of these security measures.

The results of this effort will provide actionable and tested recommendations for protecting and defending such applications. The resulting tools and techniques will not only enable SMA developers to better secure their platforms, but it will also allow users and decision-makers to perform informed risk analysis of their SMA usage, better equipping them to accurately understand the security of their data as encrypted communication becomes embedded in daily life.

The program seeks novel approaches to key technical challenges, including but not limited to:

• Characterizing and modeling the attack surface of SMAs.
• Developing a framework that identifies and recommends security boundaries, protections, and mitigations for SMAs.
• Developing tools and techniques for evaluating the security features of SMAs.

Phase I

This is a Direct to Phase II (DP2) solicitation. Therefore, Phase I proposals will not be accepted or reviewed. Phase I feasibility will be demonstrated through evidence of: a completed feasibility study or a basic prototype system; definition and characterization of properties desirable for both Department of Defense (DoD) and civilian use; and comparisons with alternative state-of-the-art methodologies (competing approaches). This includes determining, insofar as possible, the scientific and technical merit and feasibility of ideas appearing to have application to the core objective of creating a framework to assess the security of SMAs. Proposers interested in submitting a DP2 proposal must provide documentation to substantiate that the scientific and technical merit and feasibility described above have been met and describe the potential military or commercial applications. DP2 feasibility documentation should include:

• technical reports describing results and conclusions of existing work, particularly regarding the commercial opportunity or DoD insertion opportunity, and risks/mitigations, assessments
• presentation materials and/or white papers
• technical papers
• test and measurement data
• prototype designs/models
• performance projections, goals, or results in different use cases

This collection of material will verify mastery of the required content for DP2 consideration. DP2 proposers must also demonstrate knowledge, skills, and ability in computer science, vulnerability research, and software engineering. For detailed information on DP2 requirements and eligibility, please refer to the DoD BAA and the DARPA Instructions for this topic.

Phase II

The goal of this topic is to design and develop prototype models, frameworks, and methods of evaluation to defend SMAs from real-world attacks.

DP2 proposals should:

• describe a proposal to achieve the aforementioned goals;
• present a technical plan and approach, with notable risks/mitigations; and
• detail proposed metrics and scope for final evaluation.

Phase II will culminate in a demonstration that shows compelling use cases consistent with commercial opportunities and/or insertion into a DARPA program which seeks to establish automated vulnerability discovery capabilities for cybersecurity applications.

The schedule of milestones and deliverables below is provided to establish expectations and desired results/end products for the Phase II period effort.

Schedule/Milestones/Deliverables: Proposers will execute Research and Development (R&D) plan as described in their proposal including the following:

• Month 1: Phase I Kickoff briefing (with annotated slides) to the DARPA Program Manager (PM) including: any updates to the proposed plan and technical approach, risks/mitigations, schedule (inclusive of dependencies) with planned capability milestones and deliverables, proposed metrics, and plan for prototype demonstration/validation.
• Month 4: Quarterly technical progress report detailing technical progress to date, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (while this would normally report progress against the plan detailed in the proposal or presented at the Kickoff briefing, it is understood that scientific discoveries, competition, and regulatory changes may all have impacts on the planned work and DARPA must be made aware of any revisions that result), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM.
• Month 7: Interim technical progress briefing (with annotated slides) to the DARPA PM detailing progress made (including quantitative assessment of capabilities developed to date), tasks accomplished, risks/mitigations, planned activities, technical plan for the second half of Phase II the demonstration/verification plan for the end of Phase II, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM.
• Month 10: Quarterly technical progress report detailing technical progress made, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (with necessary updates as in the parenthetical remark for Months 4 and 7), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM.
• Month 14: Final technical progress briefing (with annotated slides) to the DARPA PM. Final architecture with documented details; a demonstration of prototype’s ability to improve an understanding of SMA security against real-world attacks; documented APIs; and any other necessary documentation (including, at a minimum, user manuals and a detailed system design document; and the commercialization plan).
• Month 19 (Phase II Option period): Interim report of matured prototype performance against existing state-of-the-art technologies, documenting key technical gaps towards productization.
• Month 24 (Phase II Option period): Final Phase II Option period technical progress briefing (with annotated slides) to the DARPA PM including prototype performance against existing state-of-the-art technologies, including demonstration of the prototype applicability against at least one real-world SMA.

Phase III dual use applications

Phase III work will be oriented towards transition and commercialization of this topic. Phase III funding should be obtained from either the private sector, a non-SBIR Government source, or both, to develop the prototype software into a viable product or non-R&D service for sale in military or private sector markets. Phase III refers to work that derives from, extends, or completes an effort made under prior SBIR funding agreements, but is funded by sources other than the SBIR Program. A vulnerability framework for attacks representing the entire attack surface of a secure messaging application will support national efforts in both commercial and military applications for better securing communications. Users of the framework and the results of the security assessment will be able to mitigate risks and develop proper communication protocols for their staff to ensure security and privacy.

References

[1] Szydlowski, M., Egele, M., Kruegel, C., Vigna, G. (2012). Challenges for Dynamic Analysis of iOS Applications. In: Camenisch, J., Kesdogan, D. (eds) Open Problems in Network Security. iNetSec 2011. Lecture Notes in Computer Science, vol 7039. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27585-2_6

[2] Newman, Lily Hay. “Messaging Apps Have an Eavesdropping Problem.” Wired, Conde Nast, 5 Aug. 2021, https://www.wired.com/story/signal-facebook-messenger-eavesdropping-vulnerabilities/.

Keywords

Cybersecurity, secure software design, cyber defense, computer communications, secure messaging application

TPOC-1

DARPA BAA Help Desk

Email

SBIR_BAA@darpa.mil