SBIR-STTR Award

Direct to Phase II

There is currently an explosion of the adoption of embedded devices (esp. around Internet of Things, IoT). Based on recent incidents related to attacks against industrial sensor and wireless networks, there are concerns about significant risks related to the quality of performance of such devices. Additionally, embedded systems requirements testing is typically currently done at the DevOps stage. However, for purchased third-party COTS devices, the buyer is not part of the DevOps process and is not supported by the testing tool landscape. We propose “VeriCoR” (Third Party Verification of COTS Compliance with Requirements), a solution for automated analysis of embedded devices with support for Human-in-the-Loop (HITL) operation. The goal of the current system is to achieve outstanding levels of coverage for both device specifications and operator usability, with as much automation as possible. At its heart, our system is driven by a novel Domain Specific Language (DSL) which acts as a bridge between the operator and low-level implementation of instruments performing binary analysis. The analysis results from lifting operations where binaries are made available in formats including Intermediate Representation (IR), Intermediate Language (IL), Assembly (ISA), and high-level programming language (C). In these forms, and relative to platforms including Ghidra and S2E, lifted binary becomes available for analysis in static and dynamic forms. We have previously identified the ability for static analysis to meet code quality, code inclusion, and library import quality standards and specifications. We have previously demonstrated these functions to be fully automated with a binary input and explicit specification of strings, patterns, and dates to include as constraints. As a dedicated cybersecurity company, ObjectSecurity has over 20 years’ experience in evaluating static code representations for security-related specifications and 15 years of experience encoding security policies and specifications in middle and high-level Domain Specific Languages (DSLs). Our proposal is intended to analyze COTS testbed devices covering a variety of industrial use cases as previously carried out for Navy and DoD initiatives. We present novel experimentation, testing, and validation methodologies (including using Artificial Intelligence and Machine Learning, AI/ML) that will be incorporated for advanced analysis and feedback features to benefit automation and accuracy of fielded systems. Our solution will support a range of operator expertise, from novice to experts, with dedicated DSL IDE support and reporting features including rendering capabilities to concise textual, verbose/auditable textual, and visual/graphical outputs. Additional features are outlined to support functional prototype development and support for APIs, customizable device specifications, independent validations, and future enhancements