Compartmentalization and Privilege Management (CPM)

Background
The objective of the CPM program is to develop a set of tools, along with supporting hardware and software infrastructure, to automatically restructure legacy complex software systems into performant limited-privilege compartments that prevent initial penetrations from turning into successful cyber-attacks. The CPM program’s focus is on securing the vulnerable legacy code base. Complementary software and hardware solutions are sought that will make it economically viable to compartmentalize legacy software around least-privilege principles while also demonstrating a hardware roadmap that enables performant implementation.

The CPM program is partitioned into three Technical Areas (TAs): 1) Automated Compartmentalization, 2) Privilege Policy Enforcement, and 3) Evaluation Support. The first phase of the CPM program will use the open-source Linux operating system as the target system for testing and evaluation. The second phase of the program will focus attention on applying the tools and capabilities to securing open-source user-space applications (e.g., web browser, web server, database management system). Each proposal may address any single TA or a combination of TA1 and TA2. DARPA anticipates funding multiple technical approaches and performers for TAs 1 and 2 and making a single TA3 award.

Period of Performance
CPM is planned as a 48-month program with a 30-month Phase 1 and an 18-month Phase 2. Phase 1 will focus on technology development using the Linux operating system as the test and evaluation suite. Phase 2 will focus on scaling the technologies and will add user-space programs to the test and evaluation suite.

Place of Performance
The first phase of the CPM program will use the open-source Linux operating system as the target system for testing and evaluation.