In the past year a lot has happened at CITL:
- We compared the utilization of application armoring techniques across thousands of applications within Windows 10, Linux Ubuntu and Linux Gentoo, and Mac OS X.
- We hacked up a proof-of-concept of our toolchain and looked under the hood at IoT applications and operating systems in use on “Smart” TVs.
- We found safety issues that seemed to have gone unnoticed for years in popular applications (e.g. Firefox and Office 2011 on OS X).
- We provided both high level and detailed results of our findings and approaches in our presentations at BlackHat and Defcon.
- We collaborated with Consumer Reports and other public interest organizations to codify how to assess security risks to consumers in the products they buy.
We're proud of these achievements, but we're hungry for more. Today we're happy to make several announcements on that front.
First, having established the success of CITL's analytic methodology, Director Peiter "Mudge" Zatko will transition to a board position, where he will continue to provide vision and strategic insight.
Now that we have a proof of concept in hand it is time for us to grow and focus on scale, operations, and getting more information out to the public and industry.
To help CITL expand its methodology to larger studies, we are pleased to welcome Tim Carstens as Acting Director. Though a mathematician by training, Carstens joins CITL with over a decade of experience in computer security, having reviewed systems in use by hundreds of millions of people and businesses.
Carstens will assist Chief Scientist Sarah Zatko as CITL continues to expand our methodology to larger studies at greater scale.
Speaking of larger studies, we are very excited about our third announcement: in light of our success applying the CITL methodology to desktop applications, DARPA has provided further funding toexpand our methodology to software running in embedded devices and IoT.
The ubiquity of such devices, together with the difficulty of detecting when one has been hacked, makes them ideal targets for attackers. Even those devices which seem completely mundane can still be useful as a node in a botnet. Thus, the poor security of such devices effects us all. As always, we look forward to sharing with you our progress as we study and compare the software that runs on these devices.
Fourth, we are thankful to announce that we've recently received a large charitable donation from a company in the financial sector. Their donation in support of the CITL mission will allow us to expand our team and perform larger, more in-depth reports on more classes of software. We are truly appreciative of their vote of confidence.
We look forward to continuing our relationship with our partners, including Consumer Reports and the Ford Foundation, and to new partnerships to come.