CACHE
A cybersecurity architecture using compartmentalization
to stop threats at the source
A cybersecurity architecture using compartmentalization to stop threats at the source
Compartmentalization Architecture using Commodity Hardware for Enforcement (CACHE)
Traditional cybersecurity focuses on perimeter defenses designed to stop external threats from entering an organization’s network. DARPA’s Compartmentalization and Privilege Management (CPM) program focuses on a new approach to cyber resilience and aims to protect systems from cyberattacks even after an attacker has gained initial access.
This new approach assumes the attacker is already in the system and limits their damage by compartmentalizing the system and enforcing access controls, regardless of how they initially access the system.
“CACHE provides a new way of looking at cybersecurity and protecting systems from the inside out that is very fine-grained and flexible. I think it’s going to make big changes in the cybersecurity landscape and also make it more difficult for the hacker community to be successful in their campaigns, whether that’s an individual hacker, sophisticated nation-state hackers, or advanced persistent threats.”
Gerald Fry
Senior Scientist and Principal Investigator on CACHE
CACHE changes the mindset from just protecting the boundary to mitigating threats inside a system. It’s like protecting valuable items inside a home—in addition to door alarms and external locks, you can also add locks on internal doors and keep sensitive items in a combination safe. The mindset assumes an attacker has already breached the outer perimeter.
“Compartmentalization is a groundbreaking way to think about security—it shifts your mindset from reactive perimeter defense to proactive containment. Instead of just preventing breaches, defenders assume attackers may get in and focus on limiting damage through isolation and least privilege.”
Joel Hypolite, PhD
Research Scientist and Technical Lead on CACHE
The team is collaborating with experts at Boston University to develop an approach that repurposes existing hardware architectures. Leveraging deep knowledge of the underlying hardware, they are identifying components already present that can be used in creative ways without requiring entirely new systems.
To provide separation and enforcement of security policies within individual compartments, CACHE implements a “root of trust” component, a trusted starting point verifying that a system is secure, that configures the hardware to enforce the access control policies. In addition, the team is automating tedious tasks so that human intervention is only needed when the system detects a potential access violation.
CACHE’s gate manager applies a privilege policy using existing commodity hardware mechanisms and mediates transitions (i.e., gate calls) between application-level and system-level compartments.
The key expected benefits for DARPA include demonstrating a novel, effective, and broadly applicable cybersecurity approach that can be implemented using existing hardware. Improving cybersecurity also has direct safety implications because it will help protect physical systems that are connected to the Internet, such as autonomous vehicles.
Contact us to learn more about CACHE and our capabilities in cybersecurity.
Image credits: Charles River Analytics, Inc.
This material is based upon work supported by the Air Force Research Laboratory (AFRL) and DARPA under Contract No. FA8750-24-C-B022. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the AFRL or DARPA.