Complex Military Challenge – Critical Software Upgrade
This post is also available in: 
עברית (Hebrew)
Replacing legacy software in older military systems faces “high risk” that the new code won’t be fully compatible with the rest of the system. The US DoD wants to reduce the security risks of introducing new code into its legacy systems.
A new project will create a capability for developers that allows for incremental enhancements of software components with new code that is “correct-by construction and compatible-by-construction,” meaning it safely meshes with the integrates in the rest of the system.
The project, announced by the Defense Advanced Research Projects Agency, is called Verified Security and Performance Enhancement of Large Legacy Software (V-SPELLS).
The goal of the program is to create a developer-accessible capability for piece-by-piece enhancement of software components with new verified code that is safely composable with the rest of the system.
“The program will produce theories, technologies, tools and formal proof methodologies leading to experimental prototype(s) that provide capabilities for piece-by-piece performance and security enhancement or replacement of legacy code in mission-critical systems. It is expected that these prototypes will provide a starting point for technology transition and assured incremental modernization of mission-critical software in cyber-physical system domains,” the broad agency announcement states, according to defensenews.com.
The project is trying to better understand legacy code to “reap the benefits of verification approaches for their incremental, assured enhancement, or to apply verification for safe composition of enhancements with large legacy systems,” the announcement states.
DARPA anticipates $40 million in funding for the work.
Apparently, legacy code and systems is a problem that plagues not only the Department of Defense, but also numerous federal civilian agencies. A 2019 report the Government Accountability Office, the congressional watchdog, found that the Department of the Treasury was running a system that was 51 years old. In the same report, the GAO ranked a 14-year-old DoD maintenance system for maintaining readiness as a “most critical” platform in need of modernization, noting that the department recognized it as a “moderately high” in terms of criticality and ranked it as a “moderate” security risk.
