Breadcrumb

  1. Home
  2. Research
  3. Programs
  4. CHESS: Computers and Humans Exploring Software Security

CHESS: Computers and Humans Exploring Software Security

 

Summary

The Department of Defense (DoD) maintains information systems that depend on Commercial off-the-shelf (COTS) software, Government off-the-shelf (GOTS) software, and Free and open source (FOSS) software. 

Securing this diverse technology base requires highly skilled hackers who reason about the functionality of software and identify novel vulnerabilities. This process requires hundreds, if not thousands of hours of manual effort per discovered vulnerability and does not scale sufficiently to secure the continuously growing technology base. 

Hackers use program analysis techniques and tools to identify and mitigate vulnerabilities, but this process requires considerable expertise, manual effort, and time. Automated program analysis capabilities can reason over only a few vulnerability classes without human involvement, such as memory corruption or integer overflow, but cannot address the majority of vulnerabilities. 

These unaddressed vulnerability types depend on subtle semantic and contextual information, which is beyond the grasp of modern automation. Scaling up existing approaches to address the size and complexity of modern software packages is not possible given the limited number of expert hackers in the world, much less the DoD.

The Computers and Humans Exploring Software Security (CHESS) program aims to develop capabilities to discover and address vulnerabilities of all types in a scalable, timely, and consistent manner. 

Achieving the necessary scale and timelines in vulnerability discovery will require innovative combinations of automated program analysis techniques with support for advanced computer-human collaboration. Due to the cost and scarcity of expert hackers, such capabilities must be able to collaborate with humans of varying skill levels, even those with no previous hacking experience or relevant domain knowledge.

The CHESS program will research the effectiveness of enabling computers and humans to collaboratively reason over software artifacts, such as source code and compiled binaries, with the goal of finding 0-day vulnerabilities at a scale and speed appropriate for the complex software ecosystem upon which the U.S. Government, military, and economy depend. Achieving these goals will require research breakthroughs in:

  • Developing instrumentation to capture and analyze the process by which hackers reason over software artifacts to provide a basis for developing new forms of highly effective communication and information sharing between computers and humans;
  • Creating techniques for addressing classes of vulnerability that are currently hampered by information gaps and require human insight and/or contextually sensitive reasoning;
  • Generating representations of the information gaps for human collaborators of varying skill levels to reason over;
  • Integrating human-generated insights into the vulnerability discovery process;
  • Emitting a Proof of Vulnerability to confirm existence of the 0-day vulnerability, and generating a non-disruptive, specific patch to neutralize the 0-day vulnerability; and
  • Synthesizing vulnerable Challenge Set corpora representative of large, real world, complex software packages.

CHESS Broad Agency Announcement 

 

Contact