The Defense Advanced Research projects Agency (DARPA) awarded Galois a $10 million contract under its Cyber Fault-tolerant Attack Recovery (CFAR) program to secure cyber vulnerabilities in military and commercial legacy systems, the company said today.

The DARPA CFAR program aims to find breakthroughs in defensive cyber techniques to protect existing and future software systems in military and civilian contexts without having to change the concept of operations for the systems. This is based on the introduction of diversity into the software ecosystem, which provides protection based on variation and unpredictability analogized to genetic variation in biological systems that check diseases.


This contrasts with the present approach to software security that places defenses at a disadvantage because they must constantly catch-up with attackers and try to cover every exploitable path while attackers only need to succeed once in each system. Additionally, having to rely on individual software vendors to patch software in a timely manner adds to the defender disadvantage, Galois said.

Galois will lead a team that also includes Trail of Bits; Immunant; and the University of California, Irvine, to support the DARPA goal by developing novel ways to prove correctness, security, and related properties of existing and future software systems, the company said.

Galois said its Robust, Assured Diversity for Software Systems (RADSS) solution will explore the relevant kinds of diversity-based defenses to new classes of attack. RADSS will also address challenges that currently prevent the widespread deployment of these technologies, including establishing trust in the system and the diversified variants, enabling smooth recovery in case of attack, diversifying binary-only programs, and support for multi-threaded and multi-process applications.

“By combining multi-execution and software diversity, the CFAR program qualitatively changes the calculus of defense,” Stephen Magill, software security research lead at Galois, said in a statement.

“Many modern defenses are based on adding unpredictability to software, thereby decreasing the attacker’s chance of success. Combining unpredictability with multi-execution further decreases these chances and has the potential to take certain types of attack entirely off the table,” Magill added.