Research team looking to patch code in embedded systems, aid in cybersecurity

Left to right: Antonio Bianchi, Dongyan Xu, Dave Tian

Three Purdue University researchers and their teammates at the University of California, Santa Barbara and Swiss Federal Institute of Technology Lausanne (EPFL) have received a DARPA (Defense Advanced Research Projects Agency) grant to fund research that will improve the process of patching code in vulnerable embedded systems.

Purdue’s Antonio Bianchi and Dave Tian, both assistant professors of computer science; and Dongyan Xu, the Samuel Conte Professor of Computer Science and director of CERIAS (the Center for Education and Research in Information Assurance and Security); and their team members received the grant, which totals about $3.9 million as part of a project called “Assured Micropatching.” The project is expected to last four years.

“Many embedded systems, like computer systems running in trucks, airplanes and medical devices, run old code for which the source code and the original compilation toolchain are unavailable,” Bianchi said. “Many old software components running in these systems are known to contain vulnerabilities; however, patching them to fix these vulnerabilities is not always possible or easy.”

Without source code, patching a vulnerability necessitates editing the binary code directly, Bianchi said. Additionally, even in a system that has been patched, there is no guarantee that the patch will not interfere with the original functionality of the device. Because of these difficulties, he said, the code running in embedded systems is often left unpatched, even when it is known to be vulnerable.

The team’s proposed approach entails defining and verifying a set of properties that a patch must have to ensure it doesn’t interfere with the device’s original functionality. The research also aims to develop automatic and minimal code patching for devices that may be vulnerable to cyberattacks. Minimizing modifications, Bianchi said, will require minimal resources to verify the patched code and prevent the device’s functionality from being harmed. In addition, they will also develop new ways to test the patched code, which does not require it to run on real hardware.

All three researchers are affiliated with CERIAS, which is providing administrative assistance. The researchers are looking for graduate and undergraduate students and postdoctoral researchers to work on this project.

DARPA, which is based in Arlington, Virginia, funds research in breakthrough technologies for national security. It was established in 1958 as part of the U.S. Department of Defense.

About Purdue University

Purdue University is a top public research institution developing practical solutions to today’s toughest challenges. Ranked the No. 6 Most Innovative University in the United States by U.S. News & World Report, Purdue delivers world-changing research and out-of-this-world discovery. Committed to hands-on and online, real-world learning, Purdue offers a transformative education to all. Committed to affordability and accessibility, Purdue has frozen tuition and most fees at 2012-13 levels, enabling more students than ever to graduate debt-free. See how Purdue never stops in the persistent pursuit of the next giant leap at purdue.edu.

Writer: Kelsey Schnieders Lefever, kschnied@purdue.edu

Sources: Antonio Bianchi, antoniob@purdue.edu

Dongyan Xu, dxu@purdue.edu