Researchers Look to Bots, Big Data to Fix Software Flaws
In the case of Code Phage, the program operates by taking vulnerabilities identified by a second project, known as DIODE, and then seeking out potential donor code that could fix the issue. Code Phage first identifies potential donor programs by using two inputs—one that triggers an error and one that does not—and attempts the same inputs on a library of other programs. After further checking the potential donor, Code Phage performs digital surgery, grafting the needed code from the donor to the recipient program. Finally, it validates that the patched code works as expected. The project currently focuses on fixing code that processes image formats, such as JPEG and PNG files. The short-term goal is to build up a system that has a large population of donors handling the same formats and use them to fix other programs. After that, developers could use the system to seek out the best way to write a piece of code. "The long-term vision is that don't ever have to write a piece of code that someone else has written, because we will find it and integrate them all together," MIT's Rinard said.To reduce the number of false positives, systems often focus on a single class, or a few classes, of software vulnerabilities. MIT's DIODE project, for example, identifies memory overflow errors that could lead to security issues. With such complexity, a fully automated system to both find and fix vulnerabilities is a tall order, Daniel Meissler, a practice principal with HP Fortify, told eWEEK. "It could bear fruit there, but they have to worry about garbage-in, garbage-out," he said. "If you have good inputs, you will get good outputs. But if you submit the wisdom of the crowds, they could potentially make the output not as pure." In addition, both DeepCode and Code Phage search other software for solutions to vulnerabilities and that, in and of itself, could pose a problem. Code Phage, for example, does not need access to source code, so the program could use any available binary. But copying code from other—possible copyrighted—programs will likely cause legal problems. Still, without automating software-security analysis and the fixing of code, developers may never get a handle on the burgeoning problem of software flaws, said Draper's Rosenberg. "Today’s systems for finding vulnerabilities are mostly manual and there is almost no automation for vulnerability repair in use today," he said. "Automation can help keep vulnerabilities out of software."
Numerous companies—including security firms Cigital, Coverity, HP Fortify and Veracode—have technology to analyze code and provide developers with a list of possible software flaws. Because the task of finding vulnerabilities in complex software is so difficult, such systems often create false positives, issuing alerts for potential vulnerabilities that may not be a danger.