Within the industrial sector, software has become so vital to assuring processes run smoothly and efficiently that even the a small hiccup in coding can cause major issues which is why secure software systems remain a topic of concern.

To that end, Professor Eric Bodden, a computer scientist at Paderborn University and director of the Fraunhofer IEM, earned a €2.5 million “ERC Advanced Grant” from the European Research Council in an effort to ensure secure software systems. These grants are the most significant European research funding award available and are given to top researchers for their exceptional scientific achievements via a competitive process.

“Software pervades our lives – but its lack of security is a threat that should be taken seriously. To ensure that software systems are reliable, we have to review their program code,” Bodden said.

Technology for Vulnerability Analysis
The computer scientist is an expert in the field of secure software development, focusing on automatic vulnerability analysis tools. This is where his ERC project comes in: Bodden is developing a technology to produce vulnerability analysis tools that will operate perfectly for the relevant company’s software – all fully automated.

As the number of successful attacks constantly rise, in 2023 the EU presented an expanded draft of the Cyber Resilience Act (CRA). This seeks to protect consumers and companies who purchase products with digital components.

Schneider Bold

This law introduces binding cybersecurity requirements, seeking to make insufficient software attack prevention a thing of the past.

“The CRA makes it vital to establish a secure software engineering method for any software-ready product sold in the EU. For many companies that develop software, however, this means radical change. To tackle this change, they need tools that are as automated as possible,” Bodden said.

Static program analysis (i.e. the automatic review of program code) is the key technology for ensuring security, as it is able to analyze a program for any potential inputs – including from hackers – and identify errors and vulnerabilities such as data leaks.

Additionally, static program analysis is an extremely high-performance tool, it has spent decades fighting for wide use, Bodden said.  However, the EU is now stipulating that software must end up  securely developed, so the industry can no longer ignore this technology.

System Cannot Adapt
As it turn out, current systems cannot adapt to development contexts, meaning they will for example often issue false warnings and thus divert developers’ attentions from the actual vulnerabilities, Bodden said. That will make is particularly difficult for less experienced software engineers, who will now have to carry out static analyses as a result of the CRA.

The technology that Bodden is seeking to research in his ERC project “Self-Optimizing Static Program Analysis” aims to use automation to assist, as it enables users to conduct analyses for any given usage context. Relevant warnings end up issued within an extremely short time without users having to manually intervene. They receive precise reports for the programs they provide.

“No previous projects have tackled the idea of making these ideal analyses fully automatic,” Bodden said. “To enable this, we must begin by developing static analyses that can analyze and optimize not only programs, but also themselves.”

As a result, this project should enable software engineers to independently use this kind of error detection and ensure that any necessary adjustments to the analysis can be performed automatically. “And it should help to secure millions of software systems that we have all learned to rely on,” Bodden said.

ISSSource

Pin It on Pinterest

Share This