U.Va. Computer Scientists Join $13 Million Project to Secure Software of Unknown Origins

November 23, 2010 — Buggy computer software and hardware, sometimes created by unknown developers, can pose a risk to U.S. computer security. Computer scientists at the University of Virginia are participating in a $13 million research project aimed at reducing that risk.

The grant is one of the largest in which computer science faculty members in the School of Engineering and Applied Science have been involved, Mary Lou Soffa, chair of the Department of Computer Science, said.

Computer science professor Jack Davidson said a source of cybersecurity problems is the fact that software programs and components are increasingly produced by unknown developers and in offshore locations. These programs and components are then integrated into larger systems in the United States. The software vulnerabilities come from mistakes of, as well as malicious acts by, the unknown programmers. 

"You may have software that you want to use on a machine, but there is no assurance that the code is free of vulnerabilities that could be exploited by an enemy," Davidson said. "We are making sure that software isn't vulnerable from unintentional bugs in the code, or from supply-chain vulnerabilities in which a programmer purposefully embeds bugs."

The U.Va. researchers' work is part of a larger initiative, "Securely Taking On New Executable Software Of Uncertain Provenance," or STONESOUP. It was organized by the Intelligence Advanced Research Projects Activity, a funding agency under the U.S. Office of the Director of National Intelligence.

GrammaTech, an automated program analysis firm in Ithaca, N.Y., is leading the project, and the U.Va. researchers, along with researchers from the Georgia Institute of Technology and Raytheon, a Waltham, Mass.-based defense contractor, are working as subcontractors.

The U.Va. team, led by Davidson and computer science professor John Knight, was awarded $3.8 million of the grant to contribute expertise in technologies that monitor software programs while the programs are running. Jason Hiser, Anh Nguyen-Tuong and Michele Co, all research faculty members in the department, are serving as co-investigators. Edric Barnes, a fourth-year computer science student, is also working on the project.

Monitoring and analyzing software while it's running – capabilities under active research at U.Va. – improve the likelihood that a program will operate as intended. The U.Va. team will be building on the Memory Error Detection System technology they previously developed, which combines the benefits of static and dynamic analysis.

Static analysis looks at all the properties of a software program when it is in an idle state, regardless of a given execution. Dynamic testing looks at a program while it's running, but can only test for problems associated with a specific execution.

"This project will allow us to apply tools and techniques that we have been developing over the years," Davidson said.

GrammaTech will contribute its expertise in source and machine code analysis to discover and remediate software problems through static analysis and automated, high-coverage testing. The company will provide both program-analysis technology and research expertise under the leadership of David Melski, principal investigator for the project and an expert in static and run-time analysis.

Researchers at Georgia Tech, led by professor Wenke Lee, will build on their Secure In-VM Monitoring technology, which both reduces a program's vulnerability to attack and confines the effects of software attacks. A group at Raytheon, led by Thomas Bracewell, will provide large-scale integration capability and apply the integrated system to real-world applications.

Media Contact