Associate Professor Jens Dietrich.
A Massey University researcher has been given a $US44,000 gift by tech-giant Oracle to find better ways to detect bugs and security vulnerabilities in one of the world’s most widely-used programming languages – but instead of keeping the solution for itself, Oracle wants to give it away.
The Java programming language is used in 15 billion devices around the world in applications like Netflix and Android mobile apps, right through to complex financial programmes used by large companies with valuable data to protect.
When it comes to problems in the software, traditionally companies have worked on them and kept the solutions to themselves, but by sharing the answer with competitors, they are actually saving time and money.
Associate Professor Jens Dietrich, of the School of Engineering and Advanced Technology, has been working with Oracle for a number of years to find bugs and security vulnerabilities in their software, something he says is "like creating your own puzzles and then solving them”. Oracle supports this works with gifts that put no restrictions on researchers to disseminate results - by publishing research papers and even releasing software as open source.
Some companies are seeing the opportunity in solving problems without all the red tape of contracting and commercialisation - by allowing other companies to utilise the answer as well – the problem is fixed in a smaller amount of time and they actually can save money by cutting out the commercialisation aspect.
“They need the tools, so they have found a way to get them faster and cheaper, which benefits everyone from the company to the consumer.”
Associate Professor Dietrich receives the gift from Oracle Labs, part of Oracle Incorporated, the second largest software company in the world, to devise new algorithms to find bugs and vulnerabilities in software. It follows previous gifts since 2014 totalling USD $144,000 (NZD $198,000).
“The security of our data on these web applications is a company’s top priority, as they are often dealing with very sensitive information. They use java because It has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise.”
“Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated. Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design.”
His work is focusing on modelling software as graphs which may be able to pinpoint what function in the software could be exploited. This approach has been tried before, but existing research failed to produce algorithms that can deal with the complexity and size of real-world programs.
In 2015, Associate Professor Dietrich, together with collaborators from the University of Sydney, invented a novel algorithm to overcome these limitations. He is now working on expanding this research further to reduce the number of false alarms the algorithm may produce, and to use it on some of the largest enterprise-level programs in use.
He says there is massive potential in this funding model. “New Zealand companies could learn a lot from what companies like Oracle are doing. This isn’t a contract, it’s a gift in support of academic research that gives the researcher a significant amount of freedom. It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed.”
He is now also working on a new, more fundamental question - how to predict program behaviour.
His project proposal on ‘closing the gaps in static program analysis’ was accepted as one of the SEED projects of the Science for Technological Innovation National Science Challenge in July 2017.
“The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them. This could then be used to design completely different tools. For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications,” says Associate Professor Dietrich.