By Kristen Mitchell
In an increasingly interconnected world dependent on technology, two George Washington University researchers are developing a way to keep computer systems safer from would-be hackers with a new approach that would eliminate security loopholes before they can be exploited.
Tian Lan and Guru Venkataramani, associate professors of electrical and computer engineering in the School of Engineering and Applied Science, were recently awarded a $1,471,224 grant by the Office of Naval Research to study how customized software packages could individualize security in cyber systems by customizing their protocols. This would reduce security risks and foster a more resilient system.
Programmers discover loopholes and then eliminate these security flaws with regular updates. Because these programs are consistently releasing new updates, however, new loopholes are inadvertently created as the size of the system swells. Standardized versions of common software, like Microsoft Word or Adobe Flash Player, are running on countless machines, which gives potential aggressors the possibility to inflict widespread damage if they discover a backdoor into such widely used software systems.
Dr. Lan and Dr. Venkataramani believe system security could be improved with customized versions of essential software that only includes features a specific user or company needs. These slimmer programs would cut out features that could someday provide a backdoor for those seeking to do harm.
“In the past when you have a problem, you just issue a patch, you issue a solution for the problem. When another problems comes up, you issue another solution,” Dr. Lan said. “This is the first time we are thinking on the opposite side, how do you eliminate a lot of problems at the same time.”
There are significant military applications for this technology. A security breach can cost a private company thousands of dollars every second, Dr. Lan said, but a security breach on a naval system could have more severe consequences. A hacker could steal confidential information, undermine crucial control modules, or compromise communication between ships and naval bases.
“Imagine two of our U.S. naval ships stationed in a remote corner of the world, and they are trying to communicate with each other, and an adversary ship is trying to eavesdrop on the communication that is going on between two U.S. naval ships,” Dr. Venkataramani said. “It could be disastrous. It could cut off the communication or change the communication, it might put a base right there at risk.”
An attacker, who is aware of system vulnerabilities, could easily gain entry, Dr. Venkataramani said. Organizations can minimize these risks by deleting extra code that could be used to exploit a system, blocking any outside party from weaponizing those vulnerabilities, Dr. Venkataramani said.
Naval ships—and the software that keeps them sailing— are in service for generations. There could be security vulnerabilities current engineers are unaware of because the people who designed the legacy software are no longer around. After years of additions, the software systems in place are too large for any one engineer or team to evaluate in a timely manner.
“All it takes for the attacker is one loophole. As long as they can figure it out, they can get into the system and do all sorts of damage. That is exactly what we want to prevent,” Dr. Venkataramani said. “In legacy software where we no longer have access to source code, we don’t even know where vulnerabilities may exist because we don’t know who wrote it. So the question is how do we go about finding the loopholes that are present and fix all of those loopholes and remove the possibility of it being exploited through such loopholes.”
Dr. Venkataramani and Dr. Lan are developing a way to use machine learning to comb through these kinds of software to detect which parts are being used and which are not. From there, they will be able to create customized packages that cut out redundancies and unused features.
“If you don’t know anything have any intelligence about this software, these loopholes will remain there forever,” Dr. Lan said. “If you don’t do this, the only time you find a bug is once someone has exploited it, and then it’s too late.”
Companies avoid making changes to functional legacy software because it is expensive and time consuming. From a business standpoint, people don’t want to disrupt a system that is still working, Dr. Venkataramani said.
The pair received a four-year grant for their project titled: “DIALECT: Communication Protocols Customization via Feature DIAgnosis, Lacing, Elmination, Cross-grafting, and Trimming”
The recent grant will advance Dr. Venkataramani and Dr. Lan’s work from a previous three-year grant from the Office of Naval Research. They plan to develop the machine learning mechanism and will begin testing their work in Naval labs in about two years.
“The Office of Naval Research chose to fund Dr. Lan’s and Dr. Venkataramani’s DIALECT project after working with both professors on an earlier project, and this is a testament to the confidence ONR has in their work,” said David Dolling, dean of SEAS. “The DIALECT project is just one example of the critical, cutting-edge technologies that SEAS faculty are developing across communications, healthcare, transportation, and other sectors.”
With cloud computing and more personal information stored on computers than ever before, people should be concerned about cyber security and the potential consequences of targeted hacking, Dr. Venkataramani said.
“A deeper understanding of the vulnerabilities that our software presents is the key to preventing them from being attacked,” he said. “Everyone’s data is vulnerable.”