Cyber-attacks are making headlines on a daily basis, with hackers stealing defense information, trade secrets and consumer data. But out of the spotlight is how cyber vulnerabilities are hampering advances in arms control verification and monitoring.
In the future, computer software will be a major component of technologies used for monitoring and verification. To implement a nuclear arms reduction treaty, for example, an array of hardware and software technologies would be used to protect the host state’s sensitive information while confirming that a nuclear weapon presented for inspection is indeed a nuclear weapon. All technologies will need to be inspected by both parties to ensure the equipment works as intended.
Software codes can be millions of lines long, making it extremely difficult to check for errors and bugs. Even relatively simple codes can have embedded malicious functions that are nearly impossible to detect and could lead to erroneous results.
Today, there are no standard requirements or processes for writing and reviewing code for verification applications. Random selections, blind buys and reverse engineering are all strategies to increase an inspector’s confidence in the integrity of the hardware, but there is no consensus on how best to develop trusted software.
NTI is tapping new sources of expertise to increase awareness of the software authentication challenge, identify and mitigate potential issues, and develop a set of principles to guide future software development for verification applications.
In the first phase of the project, NTI partnered with a leading computer science and information security expert at Binghamton University on The Underhanded C Contest, which challenges coders to solve a simple programming problem, while inserting covert malicious code. Previous contests have challenged participants to write source code that easily passes visual inspection by other programmers but also includes hidden functionality that causes the code to miscount votes, shave money from financial transactions, or leak information to an eavesdropper. This year's contest challenged programmers to create a simple program relevant for verifying an arms control treaty while inserting covert malicious code that would lead to a false signal.
This is a key first step in helping to develop better, more secure codes in the future.
Results for the 2015 Underhanded C Competition were released February 3, 2016.