Researchers with the Safe Documents program at the Defense Advanced Research Projects Agency have developed new tools and methods designed to mitigate cyber vulnerabilities in file formats.
The SafeDocs program was launched in 2018 with a goal of improving the security of electronic communications used in government and military operations, DARPA said Wednesday.
“Attackers abuse excessive complexity and ambiguity of document format rules to sneak in malicious payloads past the scanners,” said Sergey Bratus, SafeDocs program manager at DARPA’s information innovation office.
“SafeDocs’ formal methods approach helps uncover and eliminate the dark corners where the attackers love to hide. Resulting technologies make trusting incoming data via documents viable for many industries, including those dealing with critical infrastructure,” added Bratus.
The SafeDocs tools and methods are designed to address the complexity and ambiguity of modern file formats like the Portable Document Format by defining machine-readable descriptions of data formats.
Program researchers also developed automated software construction kits to create secure scanners using the simplified format subsets, a process which Bratus said addresses the root cause of vulnerabilities in scanners.
“Acting on an unchecked assumption is the recipe for code vulnerability,” said Bratus. “SafeDocs helps the programmer avoid implementation errors due to misunderstanding or accidental omission by generating the code automatically.”
