Published Research

Cyber Fault-tolerant Attack Recovery (CFAR)

Legacy software still underpins many vital business functions and governmental agencies. Many of these systems are monocultures or no longer maintained. They’re more vulnerable to attack.

Now that modern computers operate with multi-core chips, there’s another way to improve security. Allotting some of that computing power to monitor applications for signs of attack would make the legacy software less vulnerable. In collaboration with Galois and UC Irvine, we’re developing CFAR to do just that.

In CFAR, each core runs a variant of the same application in a multi-execution environment. When a significant difference appears in a running variant, the properly functioning cores rapidly detect and terminate the exploited session. Attacks are stopped before they can inflict damage. The unexploited sessions remain active, ensuring that critical application functionality remains available, even for legacy applications with known vulnerabilities.

CFAR doesn’t rely on program source code. If the source is not available, McSema will translate binaries into LLVM bitcode. The bitcode is then used to generate multiple programs with identical functionality but different binary-level representation.

We have tested a proof of concept that works with complex network-facing server software. Now, we’re working to enhance binary-to-LLVM translation quality and support larger programs.