Eliminating Memory Safety Vulnerabilities Once and For All Date: July 31, 2024 Program Office: Information Innovation Office (I2O) --- Overview Memory safety vulnerabilities persist as the most common type of software flaw, primarily affecting computer memory in two ways: Direct memory manipulation: Languages like C allow low-level memory access, making it easy to introduce bugs that corrupt memory. Undefined behavior: Occurs when language standards don’t specify behavior, leading to unpredictable program actions. Despite decades of efforts focusing on bug-finding tools, the software community agrees these are insufficient. The Office of the National Cyber Director advocates for proactive elimination to reduce security risks. --- Challenge with Legacy C Code Ubiquity of C: Created in the 1970s, C remains widespread in critical applications — from smartphones to space vehicles. Legacy systems: The Department of Defense (DoD) heavily relies on C-based long-lived systems. Rewriting challenge: Completely rewriting vast amounts of legacy C code in safer languages at scale is daunting. --- The Opportunity: Rust and Machine Learning Rust programming language: Designed for memory safety, Rust eliminates entire classes of memory bugs by enforcing strict safety rules and eliminating undefined behavior. Machine learning advances: Large Language Models (LLMs) have made automated code translation from C to Rust feasible but need significant improvements to approach expert quality. --- DARPA's TRACTOR Program Full name: Translating All C to Rust (TRACTOR). Goal: Automate large-scale, high-quality translation of legacy C code into idiomatic, memory-safe Rust code to eliminate memory safety vulnerabilities. Approach: Leverage novel software analysis methods (static and dynamic) combined with LLM-powered translation techniques. Quality target: Output should match the style and quality of skilled Rust developers. Statement from Program Manager Dr. Dan Wallach “You can use AI chatbots now to translate C to Rust with mixed results. TRACTOR’s challenge is improving these translations, especially for critical program constructs.” He stresses that while Rust’s strict rules can feel restrictive, they provide safety guardrails, allowing programmers to focus on meaningful tasks once accustomed. --- Program Activities Public competitions: To assess and advance automated translation capabilities using LLM solutions. Proposers Day: Scheduled for August 26, 2024, attendance in-person or virtually; registration deadline August 19, 2024. Details on SAM.gov. --- Additional Resources The Case for Memory Safe Roadmaps Memory Safety Fact Sheet by the White House's Office of the National Cyber Director --- Related Content & Links DARPA Research Programs: Active Authentication Active Cyber Defense Podcasts: Hackable Code and the Formal Fix (Ep 84) Young Faculty Award (Ep 74) Past DARPA Initiatives: Software Systems That Could Last 100 Years Service Academy CyberStakes Live Competition --- Contact and Additional Information Explore careers at DARPA and opportunities to work with them. DARPA emphasizes visionary program managers driving high-risk R&D for national security. For more information, visit DARPA’s official site and upcoming events pages.