Visible to the public Detecting Malice in Commodity Software


The U.S. Government and commercial industry depend on commodity software. Unfortunately, the long supply chain that produces this software provides many opportunities for adversaries to insert backdoors or other hidden malicious functionality along the way. How can we gain confidence that our commodity software is free of malice? Conventional wisdom holds that this problem is so fundamentally difficult that no practical solution is attainable.

This talk will discuss three DARPA research programs aimed at overturning this conventional wisdom. Topics will include determining what malice to look for and where, ruling out the presence of malice, running reliable diagnostics on commodity devices that may be rigged to lie, the use of live competitive engagements between researchers and adversary teams to measure and drive technical progress, and the ability of coordinated research programs to gather research talent and direct it towards achieving a specific technical goal.


Mr. Fraser joined DARPA as a Program Manager in 2011. He is principally interested in cyber-security, specifically in using automation to give cyber defenders the same advantages in scope, speed, and scale that are presently too-often enjoyed only by the cyber attacker. Prior to joining DARPA, Mr. Fraser worked as a Program Manager in the Microsoft Corporation's anti-malware group where he managed the first transfer of automated malware classification technology from Microsoft Research to a production environment. Fraser has been a part of two successful cyber-security product startups Komoku, Inc. and Platform Logic, Inc., and has performed cyber-security research at Trusted Information Systems and the University of Maryland Institute for Advanced Computer Studies.

Mr. Fraser received his Master of Science in Computer Science from the University of Illinois at Urbana-Champaign, and his Bachelor of Science in Computer Science from the Worcester Polytechnic Institute.

Creative Commons 2.5

Other available formats:

Detecting Malice in Commodity Software
Switch to experimental viewer