The Federal Laboratory Consortium (FLC) has selected MIT Lincoln Laboratory’s Just-In-Time Address Space Randomization (TASR) as one of the recipients of its 2024 Excellence in Technology Transfer Award. This cybersecurity technology was transferred to two companies developing cloud-based services in 2019 and 2021.
TASR has the potential to help harden many cloud-based servers and user applications against rampant information leakage attacks. These attacks involve several recent high-profile breaches in which cybercriminals exploited sensitive information to commit fraud or identity theft, steal financial assets, or gain unauthorized access to other restricted or mission-critical systems. TASR is the first technology capable of mitigating the impact of such attacks, regardless of attack mechanism or underlying system vulnerability.
The FLC is a nationwide network of more than 300 government laboratories, agencies and research centers that helps facilitate the transfer of technology from the research laboratory to the marketplace to benefit the U.S. economy, society and national security. The FLC presents awards annually to recognize outstanding technology transfer achievements by employees of FLC member laboratories and their partners from industry, academia, nonprofits, and state and local governments. The Excellence in Technology Transfer Award recognizes exemplary transfer of federally developed technology.
Asha Rajagopal, chief technology risk officer at Lincoln Laboratory, said: “We are honored to receive the FLC award in recognition of our excellence in technology transfer of this type—in this case, our Cutting-edge cybersecurity technology to protect everyday users of cloud infrastructure.”
The Lincoln Laboratory team behind TASR initially developed the technology under the auspices of the National Security Agency (NSA) after conducting an investigation of existing network defenses and their vulnerabilities. After three years of development, TASR formed a research prototype in 2015 and received a U.S. patent in 2019. In 2020, the U.S. Department of Homeland Security (DHS) selected TASR for its Commercialization Accelerator Program, through which the team matures the technology and connects it with commercial companies. Given the growing need for hardened cloud-based services, TASR offers an attractive solution as it protects Linux-based applications and servers from cyberattacks. Originally developed for PCs based on the Intel x86 architecture, the Linux operating system now runs more than 80% of Internet servers, 90% of public cloud workloads, all 500 of the world’s fastest supercomputers, and the majority of Android-powered computers. smart phone.
TASR works by automatically and transparently shuffling (re-randomizing) code locations in memory every time an application processes an input and output pair. Whenever an application sends output, such as a file write or a packet transmitted over a network, information can be leaked to an attacker. But with TASR, information that might be leaked during system output will change at the next point where an attacker is able to act on such information, which is at system input. With this moving target approach, TASR solves an important issue that leads to information leakage attacks: target homogeneity. Once an attacker designs an attack against an application, they can easily compromise millions of computers simultaneously because all installations of the application look similar internally. TASR prevents such operations by continuously rerandomizing memory during application execution.
“From day one when we started developing TASR, our focus was on making the technology as practical as possible to facilitate its transition to real users. We are honored to receive FLC recognition on TASR’s ten-year journey,” said the said principal investigator Hamed Okhravi, senior researcher in the Laboratory’s Security Resilient Systems and Technologies group. Okhravi led TASR’s nearly decade-long process through its conception, NSA and DHS sponsorship, development, maturation, and transfer phases with support from the Laboratory’s Office of Technology Risk and MIT’s Office of Technology Licensing. Other team members include David Bigelow, Jason Martin and William Streling, as well as former staff members Thomas Hobson and Robert Ladd. TASR previously won the 2022 R&D 100 Award, recognized as one of the 100 most innovative technologies available for sale or license of the year.
The TASR team and other category winners will be recognized during an awards ceremony on April 10 during the 2024 FLC National Conference in Dallas, Texas.