The University of Pennsylvania, in collaboration with Carnegie Mellon University (CMU) and Stanford University, has received a five-year, $7.5 million grant ($2.566 million for Penn) from the Office of Naval Research (ONR) under the Total Platform Cyber Protection (TPCP) program for software complexity reduction, or simplifying complex internet protocols to build greater security. The project, led by Carnegie Mellon, will create fundamentally new ways to provide greater security and resilience for legacy Navy software.

The joint project, Accountable Protocol Customization (APC), aims to reduce the complexity of legacy software by identifying lean protocol subsets that are sufficient to meet the functional and security needs of relevant clients and servers while preserving backward compatibility.

The Penn team consists of faculty members in the School of Engineering and Applied Science’s department of computer and information science (CIS): Professor Boon Thau Loo; Henry Salvatori Professor Benjamin Pierce; Professor Andre Scedrov; and Professor Steve Zdancewic. Dr. Scedrov is also professor and chair of the department of mathematics in Penn’s School of Arts & Sciences.

“Modern network protocol standards often contain a dizzying array of options with perplexing and unpredictable potential interactions. Over time, these pieces of software become hard to maintain and also easy to compromise,” said Dr. Loo. “We plan to explore real-world software that can benefit from APC’s protocol subsetting techniques, leveraging our combined strengths in systems and formal methods. The real-world use cases are immense, ranging from cloud applications, network infrastructure and the Internet of Things.”

“The benefit is in the high assurance,” said Anupam Datta of CMU, who is the overall lead investigator for the project. “It’s very hard to give high assurance to a very large, complex system. The goal of this project is to identify smaller subsets of the system to see if those parts operate correctly, we can still get security guarantees irrespective of what happens in other parts of the system.”

“The project will create a scientific framework for accountable protocol customization that reliably improves security of contemporary and future networked computing environments,” said John Mitchell of Stanford. “Through this project, we aim to create principled techniques for synthesis, testing and verification of protocols. We look forward to fruitful collaborations with all participating institutions.”