Imagine a factory filled with manufacturing equipment. Workers efficiently orchestrate the whir and hum of daily operations, but then an alarm sounds and the production line shuts down.
What happened? Did a faulty new device unleash the problem when it was brought into use for the first time? Or did a component suddenly fail within a machine already running at the heart of the plant?
Computer scientists ask similar questions when they seek to find and fix “bugs” or lapses in the integrity of software maintaining vital communications, infrastructure and security systems. Can the issue be identified by static analysis, perusing configurations of code? Or does the situation require dynamic analysis of programs while they are executing code and driving processes?
“Dynamic approaches dominate the field of binary analysis because of the actionability of results. If they tell you there’s a bug, there’s definitely a bug,” says Yan Shoshitaishvili, an assistant professor of computer science in the Ira A. Fulton Schools of Engineering at Arizona State University. “But they work only for the sections of software you observe running, and the burden of testing all the parts of complex applications would be untenable. In fact, the code coverage [or the portion of executed code that can be examined] for dynamic analysis is normally just 60%.”
This limitation means almost half of the space in which software bugs might be hidden, or occluded, remains unsearched by any given method of dynamic analysis. Alternatively, static analysis can reveal bugs that evade dynamic approaches; but it faces limits in terms of precision, scalability and reproducibility. So, neither method seems capable of fully revealing hidden vulnerabilities.
“That’s why my colleagues and I started exploring whether we can combine these two approaches,” Shoshitaishvili says. “One of our ideas uses a form of static analysis to identify potential bugs and also where within code they may be located. Doing so enables the extraction of specific pieces of software for subsequent dynamic testing, which is much more effective than trying to test entire applications.”
Shoshitaishvili and his team have completed preliminary work on this novel system, which they call Resin — a reference to the material used to plug holes in boat hulls. They now need to determine how their approach can be applied to yield maximum impact for keeping vital software shipshape.
The potential of this innovative work has captured the attention of the Defense Advanced Research Projects Agency, or DARPA, a U.S. Department of Defense entity that fosters the development of breakthrough technologies to enhance national and global security.
DARPA has chosen Shoshitaishvili for a 2022 Young Faculty Award, which identifies him as a rising star among university scientists, engineers and mathematicians. Awardees receive funding, mentorship and professional contacts that support their research and its application to defense and security issues. Shoshitaishvili’s award includes $500,000 distributed across two years, with the possibility of another $500,000 for a third year.