secureIT

Software has become a major factor of our daily lives and a central part of nearly all sectors of economic activity. It is not only found on computers, but essential to the operation of mobile phones and networks, home appliances, ATMs, cars, airplanes, medical devices, and financial and business systems. The exploitation of vulnerabilities in software can affect thousands or even millions of people and lead to massive damages.

The main goal of the secureIT project is to significantly reduce the vulnerability of software systems. This is done by developing intelligent analysis technology that will help software engineers by automatically detecting vulnerabilities in source code during development, well before they can be exploited.

To create this technology, the project will address two fundamental challenges: (1) Vulnerability prediction based on the detection of vulnerability smells and security anti-patterns. Vulnerability smells are symptoms of source code that negatively impact software security. These are not concrete errors but indication of weaknesses that increase the risk of a security problem. Security anti-patterns are patterns in source code that are known to lead to security issues. (2) Vulnerability prediction by automatically learning common patterns from existing software and detecting how the source code of the investigated system deviates from the learned patterns. This is somewhat similar to the way that credit card companies detect suspicious transactions and avoid fraud.

The proposed research is at the forefront of international scientific thinking and will increase the scientific excellence of research in Norway with an innovative and interdisciplinary approach to reducing the digital vulnerability of ICT. The outcomes will strengthen the competitiveness of Norwegian industry and promote Norway as a research and innovation leader on secure software development.

The results of the project include an open, systematically collected, source-code vulnerability related dataset and a framework that assists in collecting and updating such datasets. Moreover we've published a journal paper that discusses the challenges with prediction vulnerability purely based on function names and several papers that discusses how automated program repair of bugs such as security vulnerabilities can be improved and made applicable to a wider range of bugs. We continue our investigation in comparing techniques for embedding source code in formats used by machine learning techniques and the investigation of using knowledge graphs for vulnerability assessments.

Summary:

Software has become a central part of nearly all sectors of economic activity, and our daily lives have become increasingly dependent on complex software-intensive systems, i.e., systems in which software interacts with other software, other systems, devices, sensors and with people. Exploitation of vulnerabilities in software can affect thousands or even millions of people and lead to massive damages.

The secureIT project will help reduce software vulnerabilities by addressing the problem at its source: We will develop advanced methods and techniques that help software engineers predict the vulnerability of source code during development, well before it can be exploited.

The overall goal of this project is to significantly reduce digital vulnerability of ICT by devising intelligent automated software security assessment technology that supports software engineers by systematically and continuously predicting the vulnerability of source code in the development stage.

We reach this goal using three scientific break-throughs that will advance the state of the art in software security assessments:
(1) Vulnerability Prediction based on Vulnerability Smells and Security Anti-Patterns
(2) Anomaly-based Vulnerability Prediction
(3) Improving Vulnerability Predictions using Historical Data

Timeliness: The secureIT project builds on the PI's earlier achievements in automated software inspection, code smell detection, cross-language information flow analysis in heterogeneous systems, and frequent pattern mining and anomaly detection in high-volume data. Recent advances in machine learning together with the PI's new results on automatically learning patterns in high volume data and generalizing them using rule aggregation [27 in project description] make that now is the best time to start this research. Software vulnerability needs to be reduced, and the global state-of-the-art was not at the required level to start this ambitious research undertaking until just recently.

Funding Source:

The Research Council of Norway (external project link)