Breadcrumb

  1. Home
  2. Research
  3. Programs
  4. CPM: Compartmentalization and Privilege Management

CPM: Compartmentalization and Privilege Management

 

Program Summary

For a cyber-attack to be successful, one must conduct a sequence of exploits to move from the initial system access, through privilege escalation and lateral motion steps, until reaching the ultimate target.

DARPA is pursuing an approach to cyber resilience that would subdivide software systems into smaller, secure compartments that prevent an initial attempt at penetration from becoming a successful attack.

Through its new Compartmentalization and Privilege Management (CPM) program, the agency seeks to develop tools that can automatically restructure a software system into many small compartments, each with a specific function and operating with the least privilege necessary to achieve its goals. Systems running software with least privilege compartments would be much more resistant to cyber attackers.

With processor hardware enhancements, fine-grained software compartmentalization would not significantly impact the system’s speed and efficiency. The challenge, however, is in the billions of lines of existing software, all of which would be impossibly time-consuming to rewrite in safer programming languages.

Legacy systems over their lifetimes tend to become more unstructured and consequently less compartmentalized. The goal of CPM will be to transform existing systems into resilient ones that prevent most cyber-attack campaigns from succeeding even if an adversary gains a foothold.

Successful CPM research will demonstrate the analysis and enforcement technologies necessary for compartmentalization of large-scale systems with high confidence and low development effort. Though CPM will focus on securing the vulnerable legacy code base, resulting solutions should also apply to new software.

CPM is a four-year program with two phases. Phase 1 will focus on technology development, specifically using the Linux operating system as the test and evaluation suite. Phase 2 will focus on demonstrating scalable capabilities on open-source systems representative of classes of computation important to the Department of Defense.

A Broad Agency Announcement solicitation with all program details is available on SAM.gov at this link: https://sam.gov/opp/d624b5ffc9d24e38b966a714cbbb4f7d/view

 

HR001123S0028: Proposers Day Recording

Contact