ITHACA, N.Y. — The future is written in computer code. From autonomous cars to outer space exploration, and from smart devices to cancer-decoding computer programs, those scripts and applications play an ever bigger part in our lives, and the advancement of our knowledge and abilities.
But it’s not without risk. One need to only read the news to see how vulnerable we are in a hyperconnected world. Recently, a cyberattack was launched by hijacking the code of millions of smart devices. Hackers are regularly breaking through porous defenses of private companies and public entities, stealing personal information to use in identity theft, and trade secrets. Autonomous cars are being hijacked, leaving their passengers helpless to the potentially nefarious actions of others.
For one local company, all that insecurity, all those potential threats, represent a prime opportunity, one that makes our systems more secure, and allows their business to thrive. With their latest large contract, GrammaTech, a local cybersecurity firm, is set to expand its local employment, and put its skills and knowledge to use in safeguarding the cyber future.
Located in Ithaca’s West End on Esty Street, GrammaTech was founded in 1988 by Cornell professor Tim Teitelbaum and his PhD student, the locally-born and raised Dr. Thomas Reps. The company has two divisions – a government research division, and a commercial products division. The government research side focuses on software security research, building ways for sensitive work to stay secure, and protect against hacks and cyberattacks, as well as identifying programming bugs that leave software susceptible to infiltration. The fruits of the research are then commercialized by the products division and licensed to organizations who want to use the same cyberdefense technology that GrammaTech provides to military and government labs. Among GrammaTech’s clients are several Fortune 500 companies.
“A concrete example is, we have a product called ‘CodeSonar,’ sonar in the sense of trying to find bad things in your software. That was out there making sales, but a man at {the} NASA Jet Propulsion Laboratory [JPL] decided he had some ideas that would help them write them more secure and safer code for the Mars rover, so he put out a government solicitation through NASA to implement a tool that would apply his ideas to make better software. We got the contract to show that his ideas could be implemented into a tool, and we delivered that product to JPL commercially. JPL then had a site license for our product. They used it on the Mars Rover before it was launched, and so it had some impact on the safety and security of the code of the Mars Rover,” said Teitelbaum when describing the company’s work.
The latest feather in the company’s cap comes from the U.S. military’s Office of Naval Research – a just-announced $9 million contract over three years, with a $7.5 million option to extend it two more years. Teitelbaum says the work will focus on making their computer programs more secure from hackers and foreign intruders.
To try and explain the contract involves a short primer on how software development works. According to Teitelbaum, when developers create software, they write in what’s called “source code” – a high-level programming language, like C, C++ or Java. When they deliver an application to the consumer, they deliver it in “binary code”, which are the zeroes and ones that the computer interprets when using the software. It’s no longer symbolic or easily readable, but it’s in the form computers need to rad and run the program.
For the first decade or so, GrammaTech’s product for software assurance was initially only for source code, so it was only used by developers. Almost two decades ago, they began a long-range research program to see if they could do the same thing for binary code as they could do for source code. Teitelbaum says that in many ways that’s harder, because it doesn’t have the same legibility or comments in the computer code, it’s just the zeroes and ones. Over the years, GrammaTech’s staff developed and honed through many contracts a capability for analyzing binary code.
That culminated a year ago in technology that GrammaTech used to compete in the military’s Defense Advanced Research Project Agency (DARPA) Cyber Grand Challenge, the world’s first all-machine hacking tournament, where a team could only analyze the zeroes and ones of the binary code only, no source code, and had to find vulnerabilities in the code and repair them automatically. 120 companies competed, and Grammatech placed second in the finals, which came with a million dollar prize. That contest demonstrated the power of GrammaTech’s binary analysis capability, said Teitelbaum.
As part of its analysis of binary code, GrammaTech does what they call “binary code hardening “. They take an application just as a consumer would receive, they perform their binary analysis, and use that analysis to “harden” the binary code against cyberattacks, by removing vulnerabilities and bugs, or by adding protections to the binary. The new hardened binary is then ready for the consumer to use.
ONR’s idea that they want GrammaTech to execute is to remove unnecessary computer code that may not necessarily be buggy, but provides an environment that can be taken advantage of in an attack, what’s known as “an attack surface”. By whittling the surface down, the code becomes less vulnerable to attack. ONR wants GrammaTech to look at what can be taken away to reduce its exposure to attack, while still having the code perform its necessary tasks.
Now, maybe it’s surprising that there might be all this extra code in a military-grade program – a final product is supposed to be efficient and effective, right? But modern software engineering practices involve approaches that often lead to unnecessary code in the final application. New programs are often built out from existing code libraries or frameworks, which saves time, but it also tends to put more stuff in the computer code than will actually be used – “code bloat”. GrammaTech’s task is to “de-bloat” the Navy’s code, by identifying and removing unneeded sections so that there’s less of an attack surface for attackers to take advantage of.
“If your application is in a highly sensitive military setting, and you only want 10 of 50 features, you specify what code you need and remove the sections that implement things you don’t want. The software is more general than a particular setting might require,” said Teitelbaum.
With this growth in business opportunities comes growth in revenue and employment. Since 2008, GrammaTech’s staff has grown fourfold, from the low 20s to over 80 employees, of whom 52 are based in Ithaca (some work remotely, and Grammatech has a satellite office in Wisconsin, where co-founder Reps teaches). The ONR contract and other recent contracts are set to add another 20 positions in the Ithaca headquarters.
Teitelbaum foresees plenty of openings for GrammaTech to grow in the coming years. He ticked off examples from security to protect autonomous car computers (“a car these days is a computer wrapped in iron”), to protecting internet-connected smart home devices ranging from thermostats to toasters. The cyber future has its liabilities and risks, but risk provides excitement and opportunity.
“The state of software security is still very poor – we have great products, but we’re only just beginning to touch the potential of software to improve software. There are lots of things that are wrong with software that are still to be found by more aggressive techniques, protections that could make software more robust. That’s our niche, making software more safe and secure, and many decades of research and productization are still to come. It is a billion dollar opportunity for the people who can develop effective tools in that area.”