DARPA I2O Demo Day

By Adam Cecchetti

This past week Deja vu Security showcased our research from the DARPA Cyber Fast Track program in the sunny center of the Pentagon. Two of the projects we completed "Siren's Song" and "Gödel's Gourd" were selected for demonstration during the I2O demo day. Our other effort "Hungarian Ham" was part of the controlled but unclassified selection for the Cyber Fast Track Day. 

Gödel's Gourd 

Gödel’s Gourd builds a new fuzzing approach capable of detecting when a program doesn't crash, but also doesn't behave quite like it should. Imagine if you walked in to a restricted area without your badge or walked out of a restaurant without paying your check. Gödel attempts to detect these issues while fuzzing (in this case, both the logic issues and the information leaks in a program or device). 

Gödel’s Gourd is capable of detecting issues such as Information Disclosure, Authentication Bypass, and State Machine Corruption. During testing Gödel detects HeartBleed within the first few iterations of fuzzing SSL. Analysis runs inline with Peach to catch both classical security issues and logic issues. Gödel uses a flexible system that can tune constraints for each program or device being fuzzed. 

Customers of Peach Pro already enjoy features of Gödel's Gourd. Additional development and features will be integrated into Peach later in 2014 depending on customer demand. 

Siren's Song 

Siren's Song builds a fuzzing system to test language interpreters and virtual machines. Siren's Song enables a tester to fuzz any language with Peach. The fuzzer sends semantically valid but mutated snippets to the interpreter. Common and domain specific languages that can be fuzzed with Siren's Song examples include: JavaScript, Python, Ruby, Visual Basic for Applications, LUA, and Java. Our test language was JavaScript and within 20 iterations we found a known issue in Firefox. 

Siren's Song will be released based on customer demand. 

Interested in hearing more about upcoming Peach features or our research? Reach out to us at peach@dejavusecurity.com 

Patents Pending