ERC project "Self-Optimising Static Program Analysis"
‘Software pervades our lives – but its lack of security is a threat that should be taken seriously. To ensure that software systems are reliable, we have to review their program code’, Bodden explains. The computer scientist is a leading expert in the field of secure software development, focusing on automatic vulnerability analysis tools. This is where his ERC project comes in: Bodden is developing a technology to produce vulnerability analysis tools that will operate perfectly for the relevant company’s software – all fully automated.
Static program analysis (i.e. the automatic review of program code) is the key technology for ensuring security, as it is able to analyse a program for any potential inputs – including from hackers – and identify errors and vulnerabilities such as data leaks. Bodden: ‘Although static program analysis is an extremely high-performance tool, it has spent decades fighting to be widely used. However, as the EU is now stipulating that software must be securely developed, we can no longer ignore this technology.’ However, in Bodden’s view, current systems are not sufficiently adapted to development contexts, meaning that they will for example often issue false warnings and thus divert developers’ attentions from the actual vulnerabilities. It will be particularly difficult for less experienced software engineers, who will now have to carry out static analyses as a result of the CRA.
Motivation and goal
Binding safety requirements prescribed by law
The topic could hardly be more topical: As the number of successful attacks is steadily increasing, the EU has presented an extended draft for the Cyber Resilience Act (CRA) in 2023. This aims to protect consumers and companies that buy products with digital components. The Act introduces mandatory cybersecurity requirements, making inadequate software attack protection a thing of the past. "With the CRA, a secure software engineering method becomes essential for every software-enabled product sold in the EU. For many companies that develop software, however, this will mean a radical change. In order to manage this change, they need tools that are as automated as possible," Bodden continues.
Technology analyses itself
The technology that Bodden wants to research in his ERC project "Self-Optimising Static Program Analysis" in his specialist group is intended to provide a remedy through automation. This is because it enables users to perform analyses for any given application context. Relevant warnings are reported within a very short time without users having to intervene manually. They receive precise reports for the programmes they deploy. "No previous project has dealt with the idea of producing these optimal analyses fully automatically. To make this possible, we will have to develop static analyses for the first time that not only analyse and optimise programs, but also themselves."
Security for millions of programmes
As a result of his project, software engineers should be able to use this type of error detection independently and make all the necessary adjustments to the analysis automatically. "And it should help to secure the millions of software systems that we have all learnt to rely on," summarises the scientist.
