WASHINGTON — The Defense Department’s advanced research arm wants to reduce the security risks of introducing new code into legacy systems, according to a new solicitation.
The project, announced by the Defense Advanced Research Projects Agency in a broad agency announcement July 24, is called Verified Security and Performance Enhancement of Large Legacy Software. The project wants to create a capability for developers that allows for incremental enhancements of software components with new code that is “correct-by construction and compatible-by-construction,” meaning it safely meshes with the integrates in the rest of the system.
“The program will produce theories, technologies, tools and formal proof methodologies leading to experimental prototype(s) that provide capabilities for piece-by-piece performance and security enhancement or replacement of legacy code in mission-critical systems. It is expected that these prototypes will provide a starting point for technology transition and assured incremental modernization of mission-critical software in cyber-physical system domains,” the broad agency announcement states.
The problem now, according to the solicitation, is that replacing legacy software in older systems faces “high risk” that the new code won’t be fully compatible with the rest of the system. V-SPELLS is trying to better understand legacy code to “reap the benefits of verification approaches for their incremental, assured enhancement, or to apply verification for safe composition of enhancements with large legacy systems,” the announcement states.
“Verified programming methodologies for creating software that is correct-by-construction are currently not effective for lowering this risk, because they focus on clean-slate software construction, assume an existing formal specification that is typically not available for a legacy system, and require formal methods expertise typically not accessible to developers.”
The project has four technical areas: automated, iterative interactive program understanding; compositional [domain-specific language] programming, component specification inference; verified layer flattening and distribution; and demonstration and evaluation.
DARPA expects to issue multiple awards for technical areas one, two and three, but a single award for technical area four. According to the announcement, the research agency anticipates $40 million in funding for the work. The program will be operational for four years and include three phases. Phases one and two will last 18 months, with phase three continuing for one year.
Legacy code and systems is a problem that plagues not only the Department of Defense, but also numerous federal civilian agencies. A 2019 report the Government Accountability Office, the congressional watchdog, found that the Department of the Treasury was running a system that was 51 years old. In the same report, the GAO ranked a 14-year-old DoD maintenance system for maintaining readiness as a “most critical” platform in need of modernization, noting that the department recognized it as a “moderately high” in terms of criticality and ranked it as a “moderate” security risk.
Proposals for the DARPA project are due Sept. 9.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.