ERC project "Self-Optimizing Static Program Analysis"

‘Software pervades our lives – but its lack of security is a threat that should be taken seriously. To ensure that software systems are reliable, we have to review their program code’, Bodden explains. The computer scientist is a leading expert in the field of secure software development, focusing on automatic vulnerability analysis tools. This is where his ERC project comes in: Bodden is developing a technology to produce vulnerability analysis tools that will operate perfectly for the relevant company’s software – all fully automated.

Static program analysis (i.e. the automatic review of program code) is the key technology for ensuring security, as it is able to analyse a program for any potential inputs – including from hackers – and identify errors and vulnerabilities such as data leaks. Bodden: ‘Although static program analysis is an extremely high-performance tool, it has spent decades fighting to be widely used. However, as the EU is now stipulating that software must be securely developed, we can no longer ignore this technology.’ However, in Bodden’s view, current systems are not sufficiently adapted to development contexts, meaning that they will for example often issue false warnings and thus divert developers’ attentions from the actual vulnerabilities. It will be particularly difficult for less experienced software engineers, who will now have to carry out static analyses as a result of the CRA.

Pro­pos­al

More about the goal, the challenges and the approach of the ERC project can be found in the research proposal that Eric Bodden submitted to the ERC. The document can be viewed here and can serve as inspiration for further research projects

Go to the proposal

Mo­tiv­a­tion and goal

Binding security requirements prescribed by law

The topic could scarcely be more relevant: as the number of successful attacks is constantly increasing, in 2023 the EU presented an expanded draft of what they called the ‘Cyber Resilience Act’ (CRA). This seeks to protect consumers and companies who purchase products with digital components. This law introduces binding cybersecurity requirements, seeking to make insufficient software attack prevention a thing of the past. ‘The CRA makes it vital to establish a secure software engineering method for any software-ready product sold in the EU. For many companies that develop software, however, this means radical change. To tackle this change, they need tools that are as automated as possible’, Bodden continues.

 

Technology that analyses itself

The technology that Bodden is seeking to research in his ERC project ‘Self-Optimizing Static Program Analysis’ aims to use automation to assist, as it enables users to conduct analyses for any given usage context. Relevant warnings are issued within an extremely short time without users having to manually intervene. They receive precise reports for the programs they provide. ‘No previous projects have tackled the idea of making these ideal analyses fully automatic. To enable this, we must begin by developing static analyses that can analyse and optimise not only programs, but also themselves.’

 

Security for millions of programs

As a result, this project should enable software engineers to independently use this kind of error detection and ensure that any necessary adjustments to the analysis can be performed automatically. ‘And it should help to secure millions of software systems that we have all learned to rely on’, the researcher summarises.

Fun­ded by: