LGS Innovations CEO Kevin Kelly talks to Jane’s International Defence Review about cyber warfare at the tactical edge, specifically software code vulnerabilities.
“Despite what you might read about in novels and have seen in Hollywood movies, the majority of vulnerabilities in software are purely unintentional,” Kevin Kelly, chief executive officer of LGS Innovations, told IHS Jane’s. “They can either be there by mistake or they can be part of a management or troubleshooting system that are built into operational code, that are built into machine code, or firmware so that the tier 2, tier 3 maintenance folks can log into these devices and pull logs of information … so that they can troubleshoot anomalies.”
Many hardware developers outsource development of modules of code, Kelly explained, or acquire open-source code or libraries of code that perform certain functionalities developed for past systems that are incorporated into later systems of integrated or aggregated software. Some backdoors are left over from testing scenarios, but no one really spends time going through old code line by line looking for vulnerabilities. “For efficiency’s sake, the developer did not go in and remove the original code,” said Kelly. “They just simply layered on a replacement code or a patch, and the predecessor’s code is still running on the machine.
“There are very practical reasons why these vulnerabilities exist,” Kelly continued. “The extent that developers would have to go through to remove all of them is really counter competition. If developers of these systems had to go through line by line and remove all of these, they are going to add an awful lot of cost to the cogs of each of these systems and potentially make themselves uncompetitive. So they simply don’t do it. And there is no requirement. There’s no international [standard] and there’s no national standard that requires them to go in and remove these.”
LGS Innovations is currently demonstrating custom software called ‘CodeGuardian’ for warfighters on the move that identifies, analyses, and removes vulnerabilities from source code. By working in a threat prioritised, iterative process with developers, clean code can be obtained and then run through an ‘obfuscation engine’ that changes the address mapping, performs natural language translation, and shuffles and recompiles the code that is then only executable with a specific unique key.
This “creates a unique version of the executable that operates exactly the same as every other version. It’s just written differently”, said Kelly. “In the event that there is still a vulnerability in that code, or that there is one discovered later, each of the executables can be different from another, and therefore the attackers ability to find the entry point is going to be that much more difficult, maybe even impossible.”
For more information, please visit http://www.janes.com/