DRIFT

Defender Resilience via InFormed Toolchains (DRIFT) addresses a core challenge faced by defenders of software systems: the lack of metadata and tools to effectively understand and remediate risk in production binaries.  In real-world settings, such as enterprises, embedded systems, and critical infrastructure, defenders are responsible for large software deployments composed of complex software supply chains, out-of-support components, and vendor binaries. When a new vulnerability is discovered or a system crashes, operators often cannot determine whether they are affected, why the failure occurred, or how to safely remediate it.  DRIFT is part of DARPA’s EBOSS program, which aims to give defenders direct, timely, and trustworthy knowledge and control over the binaries they are tasked with securing.  

DRIFT provides an integrated toolchain (a modified compiler, linker, and associated analyses) that offers advanced capabilities for: 

1. Automated vulnerability understanding
2. Automated vulnerability hardening (for memory safety vulnerabilities) 
3. Automated remediation of vulnerabilities from crashes or CVEs
4. Automated, accurate, and precise vulnerability reachability analysis
5. Synthesis of crashing inputs for a vulnerability
6. Remediation via rapid, validated, and verified binary patches

DRIFT is developing novel forms of instrumentation to catch memory safety violations in unmodified C/C++ code with full compatibility and low overhead.  This runtime instrumentation, automatically inserted by our compiler, enables a developer to retrofit memory safety with zero cost and provides options for handling violations (e.g., abort or continue in a failure-oblivious manner). DRIFT uses a combination of inter- and intra-procedural analyses from LLVM and CodeHawk’s C Analyzer to elide unnecessary memory safety checks and metadata operations to provide extremely low overhead. When a crash or violation occurs, DRIFT provides crash dumps enhanced by our metadata to help developers understand the underlying issue or to automatically determine where the patch should go.

Beyond crash triage, DRIFT enables defenders to assess risk proactively through reachability analysis, determining whether a known vulnerability is exploitable in a specific binary. This is especially useful at scale, where a new CVE may affect only some deployed instances. DRIFT’s analysis uses compilation, linking, and runtime metadata to reconstruct accurate and precise call paths and vulnerability risk across configurations.  When the callgraph shows a vulnerability is potentially reachable, precise inter-procedural analysis provides further evidence on the reachability result.  Results include a confidence score and complexity assessment to guide response.

DRIFT includes a last-mile patching capability that produces binary-level micro-patches using verified and validated transformations and analyses.  This capability enables defenders to rapidly develop and deploy remedies to binaries for which they do not have source. DRIFT extends support for binary patching, developed in DARPA AMP and ARPA-H DIGIHEALS, by modifying the binary to include metadata that enables validated lifting and binary transformations. Patches are expressed as changes to the validated lifting of the binary, and automatically inserted into the binary through validated transformations, either inline or via trampolines. These patches are validated with static analysis to ensure they remove the vulnerability without altering correct behavior. This enables defenders to deploy quick, safe fixes—even in systems where traditional patching is impractical.

All these capabilities are enabled by the additional metadata added to a binary or computed at runtime.  These include embedded library SBOM information (on a function granularity), instruction provenance, indirect call targets, linking information, and source code information.

DRIFT is designed to integrate seamlessly into modern DevSecOps workflows, where software is continuously built, deployed, and monitored across diverse platforms. Our toolchain is fully robust, and our tools are modular and scriptable, producing and analyzing deployment artifacts such as binaries, crash dumps, and vulnerability disclosures, without requiring sidecar information. This architecture enables defenders to triage and remediate vulnerabilities in-place, without requiring access to source code or vendor support. DRIFT tools can be integrated into CI/CD pipelines, container build systems, and runtime monitoring setups to support ongoing vulnerability detection, reachability assessment, and patch synthesis.