Cybersecurity software wins a 2024 Federal Laboratory Consortium Excellence in Technology Transfer Award

The Federal Laboratory Consortium (FLC) has selected MIT Lincoln Laboratory’s Timely Address Space Randomization (TASR) as one of the recipients of their 2024 Excellence in Technology Transfer Award. This cybersecurity technology was transferred in 2019 and 2021 to two companies that develop cloud-based services.

TASR has the potential to help harden many cloud-based servers and user applications against rampant information-leakage attacks. These attacks have been involved in several recent high-profile breaches in which cyber criminals used sensitive information to commit fraud or identity theft, steal financial assets, or gain unauthorized access to other restricted or mission-critical systems. TASR is the first technology that mitigates the impact of such attacks regardless of the attack mechanism or underlying system vulnerability.

A nationwide network of more than 300 government laboratories, agencies, and research centers, FLC helps facilitate the transfer of technologies out of research labs and into the marketplace to benefit the U.S. economy, society, and national security. On an annual basis, FLC confers awards to commend outstanding technology transfer achievements of employees of FLC member labs and their partners from industry, academia, nonprofits, and state and local governments. The Excellence in Technology Transfer Award recognizes exemplary transfer of federally developed technology.

“We are honored to receive this FLC award recognizing our excellence in such technology transfer — in this case, of a cutting-edge cybersecurity technology for protecting everyday users of cloud infrastructure,” says Lincoln Laboratory Chief Technology Ventures Officer Asha Rajagopal.

The Lincoln Laboratory team behind TASR initially developed the technology under sponsorship by the National Security Agency (NSA), following a survey of existing cyber defenses and their vulnerabilities. The three-year development of TASR led to a research prototype in 2015 and a U.S. patent in 2019. In 2020, the U.S. Department of Homeland Security (DHS) selected TASR for its Commercialization Accelerator Program, through which the team matured the technology and connected with commercial companies. Given the growing need for hardening cloud-based services, TASR offers an attractive solution, as it protects Linux-based applications and servers from cyberattacks. Originally developed for personal computers based on Intel’s x86 architecture, the Linux operating system now runs more than 80 percent of all internet servers, 90 percent of public cloud workloads, all 500 of the world’s fastest supercomputers, and the majority of smartphones using Android.

TASR works by automatically and transparently shuffling (rerandomizing) the location of code in memory every time an application processes an input-and-output pair. Information may leak to an attacker whenever the application sends an output, such as a file write or data packet transmitted over a network. But with TASR, the information that may be leaked during system output will have changed at the next point the attacker is able to act on such information (i.e., at system input). Through this moving-target approach, TASR addresses a significant problem contributing to information-leakage attacks: target homogeneity. Once attackers devise an attack against an application, they can easily compromise millions of computers at once because all installations of that application look alike internally. By continuously rerandomizing memory throughout the application’s execution, TASR prevents such action.

“From the first day we started working on TASR, our focus was on making the technology as practical as possible to facilitate its transition to real users. We are honored to be recognized by the FLC for the decade-long journey leading to the transfer of TASR,” says principal investigator Hamed Okhravi, senior staff in the laboratory’s Secure Resilient Systems and Technology Group. Okhravi led the nearly decade-long process of conception, NSA and DHS sponsorship, development, maturation, and transfer phases for TASR, with support from the laboratory’s Technology Ventures Office and MIT’s Technology Licensing Office. The other team members are David Bigelow, Jason Martin, and William Streilein, and former staff members Thomas Hobson and Robert Rudd. TASR was previously recognized with a 2022 R&D 100 Award, acknowledged as one of the year’s 100 most innovative technologies available for sale or license.

The TASR team and awardees in the other categories will be honored at an award ceremony on April 10 during the 2024 FLC National Meeting in Dallas, Texas.