Communications of the ACM
Less Code Is Better Code, Says DARPA
DARPA program manager Peiter Zatko
Courtesy of DARPA
The American government may soon introduce the specifics of a new, lean code approach to security research if Peiter Zatko, a renowned hacker turned U.S. Defense Advanced Research Projects Agency (DARPA) program manager, can successfully meld the disparate cultures of research boutiques, hacker spaces, and maker labs with federal government funding and procurement.
“This is not a recruiting pitch trying to get folks to support the government,” Zatko, a senior official with DARPA's Strategic Technology Office, said in his keynote speech at the ShmooCon security conference in January. “I want the government to modify and change and make itself a resource to enable this sort of work.”
To that end, Zatko introduced Cyber Fast Track, a program designed to change the way hackers and research boutiques view engaging with federal agencies, which are set up for what he called “multi-million dollar, multi-year-long efforts.” Instead, Cyber Fast Track will hire individuals and small teams via short, fixed-price DARPA contracts to create lean code cybersecurity programs.
While security platforms are growing ever larger and cumbersome, malware designers are still writing lean and mean code, Zatko notes. By 2005, he said, a typical unified threat management suite contained 10 million lines of code, while the average piece of malware contained only 125 lines. Such a disparity, plus governmental mandates to create a cost-effective uniform architecture, has placed defenders of crucial infrastructure in an untenable position. Zatko said a development curve for that 125 lines of code project can still probably involve just a few programmers spending three months' time on it. However, the multi-million-line of code security suite may actually be introducing more vulnerabilities due to its sheer size, which also makes troubleshooting such vulnerabilities much more difficult.
Zatko noted that monoculture mandates sound efficient, but often fail to consider the fluidity of situations such as front-line combat networks. Operational demands of such networks can lead users to accidentally introduce viruses via vectors such as tainted USB drives, leading to one bug being replicated through thousands of systems.
Zatko said he hoped to have the Cyber Fast Track program “on the street” about the end of April, but was unavailable to comment on specifics.
If successful, the initiative may capitalize on what Zatko calls the “apprenticeship” paradigm real-world security research encourages. Universities, he says, are good at teaching math, which essentially means cryptography, and commercial ventures have expertise in deploying specific existing tools.
It's the boutique shop and hacker space, he says, that is doing the real cutting-edge research, by asking, “What tools are missing, and how do I make them?”
“When we do stuff this way, we are the asymmetric advantage,” Zatko said.
Resources
Peiter Zatko's ShmooCon keynote speech: www.youtube.com/watch
DARPA Strategic Technology Office: web-ext2.darpa.mil/our_work/STO/
Gregory Goth is an Oakville, CT-based writer who specializes in science and technology.
No entries found