Program Summary
Pervasive vulnerabilities in software deployed at scale pose a high risk to the United States and the global community. Without effective capabilities to rapidly triage and remediate them, computing infrastructures are susceptible to exponentially escalating volume and diversity attacks. Executive Order 14028 recognizes the need to protect software supply chains with widespread dependency risks. It creates a policy foundation for software component transparency in software supply chains and requires a Software Bill of Materials (SBOMs) that specify the components and dependencies of a software product.
The Enhanced SBOM for Optimized Software Sustainment (E-BOSS) program aims to develop the capability to preempt or rapidly triage and remediate software vulnerabilities at an infrastructure scale through revolutionary changes in software build chains and runtime systems that enhance and complement SBOM technologies. E-BOSS will enhance SBOM technologies with new types of metadata and cyber-reasoning algorithms to determine whether flawed or sensitive code is reachable and triggerable.
These new cyber-reasoning capabilities will perform reachability analysis and inform rapid mitigations, such as blocking attack payloads associated with the recovered vulnerability triggers at appropriate system interfaces and code paths, or program transformations that deny the execution of vulnerability-triggering payloads.
The key hypothesis of E-BOSS is that new metadata and algorithms added to a state-of-the-art software toolchain will dramatically accelerate triage and remediation at scale. Moreover, this approach would accomplish these results in days or hours rather than months under practical space and performance trade-offs.
E-BOSS will leverage, enhance, and complement emerging SBOM standards to deliver practical results. DARPA also intends to transition the resulting code to open-source communities, so stay tuned for additional information, which will be added here when appropriate.
A Broad Agency Announcement solicitation with comprehensive program details is available on SAM.gov at this link: https://sam.gov/opp/ae864118f3334def86f7e08cd39b6dbd/view