Breadcrumb

  1. Home
  2. Research
  3. Programs
  4. VET: Vetting Commodity IT Software and Firmware

VET: Vetting Commodity IT Software and Firmware

 

Program Summary

Government agencies and the military rely upon many kinds of Commercial Off-the-Shelf (COTS) commodity Information Technology (IT) devices, including mobile phones, printers, computer workstations and many other everyday items. Each of these devices is the final product of long supply chains involving many vendors from many nations providing various components and subcomponents, including considerable amounts of software and firmware. Long supply chains provide adversaries with opportunities to insert hidden malicious functionality into this software and firmware that adversaries can exploit to accomplish harmful objectives, including exfiltration of sensitive data and sabotage of critical operations.

Organizations often attempt to manage supply chain risk indirectly by investigating manufacturers and their business relationships, currently no accurate and cost-effective technical means exist for large enterprises to directly examine the software and firmware commodity IT vendors provide with every individual new device and update. In fact, a common perception among government and industry alike is that the problem of enterprise-scale vetting of the software and firmware on COTS IT devices is so difficult that it is unapproachable.

DARPA created the Vetting Commodity IT Software and Firmware (VET) program to address the threat of hidden malicious functionality in COTS IT devices. VET’s goal is to demonstrate that it is technically feasible to determine that the software and firmware shipped on commodity IT devices is free of broad classes of hidden malicious functionality. The program supports the White House’s 2009 Comprehensive National Cybersecurity Initiative, which specifically named developing a “multi-pronged approach for global supply chain risk management” as a key national security goal.

Specific VET program objectives include:

  • Enable analysts to anticipate the kinds of malicious functionality adversaries might hide in software and firmware of a given commodity IT device intended for a particular kind of deployment
  • Enable analysts to efficiently rule out the presence of hidden malicious functionality, accidental-seeming flaws and benign features with seemingly unintended negative consequences
  • Make it feasible to vet the software and firmware on board each and every individual commodity IT device deployed in a large enterprise, even in cases where an adversary has prepared the devices to deceive diagnostics and appear benign when they are in fact malicious

These three advances in combination would give government agencies a new capability: the ability to gain confidence in the software and firmware on their commodity IT devices by directly examining the devices themselves, rather than reasoning about their provenance.

Resources

Contact