Millions in EU funding for secure software systems
Professor Eric Bodden, a computer scientist at Paderborn University and director of the Fraunhofer IEM, has been awarded the ‘ERC Advanced Grant’ of 2.5 million euros by the European Research Council for his research into secure software systems. These grants are the most significant European research funding award available and are given to top researchers for their exceptional scientific achievements via a competitive process.
The next generation of automatic vulnerability analysis
‘Software pervades our lives – but its lack of security is a threat that should be taken seriously. To ensure that software systems are reliable, we have to review their program code’, Bodden explains. The computer scientist is a leading expert in the field of secure software development, focusing on automatic vulnerability analysis tools. This is where his ERC project comes in: Bodden is developing a technology to produce vulnerability analysis tools that will operate perfectly for the relevant company’s software – all fully automated.
Binding security requirements prescribed by law
The topic could scarcely be more relevant: as the number of successful attacks is constantly increasing, in 2023 the EU presented an expanded draft of what they called the ‘Cyber Resilience Act’ (CRA). This seeks to protect consumers and companies who purchase products with digital components. This law introduces binding cybersecurity requirements, seeking to make insufficient software attack prevention a thing of the past. ‘The CRA makes it vital to establish a secure software engineering method for any software-ready product sold in the EU. For many companies that develop software, however, this means radical change. To tackle this change, they need tools that are as automated as possible’, Bodden continues.
Static program analyses: potential that still remains untapped
Static program analysis (i.e. the automatic review of program code) is the key technology for ensuring security, as it is able to analyse a program for any potential inputs – including from hackers – and identify errors and vulnerabilities such as data leaks. Bodden: ‘Although static program analysis is an extremely high-performance tool, it has spent decades fighting to be widely used. However, as the EU is now stipulating that software must be securely developed, we can no longer ignore this technology.’ However, in Bodden’s view, current systems are not sufficiently adapted to development contexts, meaning that they will for example often issue false warnings and thus divert developers’ attentions from the actual vulnerabilities. It will be particularly difficult for less experienced software engineers, who will now have to carry out static analyses as a result of the CRA.
Technology that analyses itself
The technology that Bodden is seeking to research in his ERC project ‘Self-Optimizing Static Program Analysis’ aims to use automation to assist, as it enables users to conduct analyses for any given usage context. Relevant warnings are issued within an extremely short time without users having to manually intervene. They receive precise reports for the programs they provide. ‘No previous projects have tackled the idea of making these ideal analyses fully automatic. To enable this, we must begin by developing static analyses that can analyse and optimise not only programs, but also themselves.’
Security for millions of programs
As a result, this project should enable software engineers to independently use this kind of error detection and ensure that any necessary adjustments to the analysis can be performed automatically. ‘And it should help to secure millions of software systems that we have all learned to rely on’, the researcher summarises.
Eric Bodden is Professor of Secure Software Engineering and Chairman of the Board at Paderborn University’s Heinz Nixdorf Institute, Head of the University’s Department of Computer Science, and Director of Software Engineering and IT Security at the Fraunhofer Institute for Mechatronic Systems Design. He is also a member of the ‘Working Group 2.4 Software Implementation Technology’ at the ‘International Federation for Information Processing, (IFIP), of the DFG ‘Computer Science’ review board, and of acatech.
