DARPA Works to Limit Open Source Security Threats

August 9, 2022

Isn’t it a little late? Open-source code has become an integral part of nearly every facet of modern computing, including military and critical infrastructure applications. Now, reports MIT Technology Review, “The US Military Wants to Understand the Most Important Software on Earth.” It seems military researchers have just realized there is no control over, or even accounting for, the countless contributors to open-source projects like the Linux kernel. That software alone underpins the operation of most computers. And yet the feature that makes open-source software free and, therefore, ubiquitous also makes it vulnerable to bad actors.

Since it cannot turn back the clock and consider security before open-source code got baked into critical software, DARPA will instead scrutinize the people and organizations behind open-source projects. The program, dubbed “SocialCyber,” will take 18 months and millions of dollars to implement. It will use a combination of the latest AI tech and good old-fashioned sociology to pinpoint potential threats. Reporter Patrick Howell O’Neill writes:

“The ultimate goal is to detect and counteract any malicious campaigns to submit flawed code, launch influence operations, sabotage development, or even take control of open-source projects. To do this, the researchers will use tools such as sentiment analysis to analyze the social interactions within open-source communities such as the Linux kernel mailing list, which should help identify who is being positive or constructive and who is being negative and destructive. The researchers want insight into what kinds of events and behavior can disrupt or hurt open-source communities, which members are trustworthy, and whether there are particular groups that justify extra vigilance. These answers are necessarily subjective. But right now there are few ways to find them at all. Experts are worried that blind spots about the people who run open-source software make the whole edifice ripe for potential manipulation and attacks. For Bratus, the primary threat is the prospect of ‘untrustworthy code’ running America’s critical infrastructure—a situation that could invite unwelcome surprises. …This kind of research also aims to find underinvestment—that is critical software run entirely by one or two volunteers.”

The program relies on partnerships between DARPA and several small cybersecurity research firms like New York’s Margin Research. These firms will ascertain who is working on what open-source projects. Margin will focus on Linux, considered the most urgent point of concern. Open-source programming language Python, which is often used in machine-learning projects, is another priority. SocialCyber is quite an undertaking—it is the pound of cure we could have avoided with an ounce of foresight several years ago.

Cynthia Murrell, August 9, 2022


Got something to say?

  • Archives

  • Recent Posts

  • Meta