Researchers Look to Bots, Big Data to Fix Software Flaws

MIT researchers have created a system, dubbed Code Phage, to fix security software bugs by borrowing code from other programs, while other companies are using big data analytics to hunt down code flaws.

Code Phage 2

Automated systems paired with the ability to sift through massive amounts of data have changed numerous industries over the past decade, from delivering search results, to identifying sales trends and optimizing business processes.

Now, a combination of Big Data and cognitive computing is being used to ferret out security flaws in software.

Keeping security vulnerabilities out of today's software is a complex and multi-pronged effort, requiring developer training, expert systems that can spot certain classes of software bugs, and iterative quality control processes. Yet, computer scientists are now looking for ways to eliminate many of the headaches and tedium of software development to, not only find flaws in programs, but fix them.

Researchers at the Massachusetts Institute of Technology, for example, created a system called Code Phage that can automatically patch software found to contain certain classes of flaws by searching for similar functionality in other programs and grafting it into the recipient software. The system mimics the biological process of horizontal gene transfer, but instead of moving genetic material between cells, Code Phage moves snippets of code between a donor program and the recipient with the vulnerability.

In a paper presented at the Association for Computing Machinery’s Programming Language Design and Implementation conference in June, the team of researchers reported that their system fixed 10 errors in 7 programs, taking from two to 10 minutes for each repair.

"What we are looking for here is an automated way to very quickly patch the bug," Martin Rinard, a professor of computer science and engineering at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), told eWEEK. "If the needed functionality exists in the world, then we have a good chance to help you out and fix those bugs."

In March 2015, not-for-profit research and development organization Draper Laboratory announced its effort, DeepCode, which uses big-data analytics to learn the difference between flawed code and good code. The researchers, who teamed with Stanford University on the project, are building on an earlier effort which mimicked processes in the human brain to detect sophisticated threats in network traffic.

Both projects aim to tackle a critical problem in software development: An increasing number of developers—many with little experience with secure programming—are creating the applications on which the world relies, resulting in flawed code.

"Application security is not going away, in fact, it is a huge and growing problem," said Jothy Rosenberg, associate director of the Cyber Systems Group at Draper Laboratories, told eWEEK in an e-mail interview. "Until we change the fundamental model of computing to address security from the ground up, these problems will persist, and automated tools to identify and eliminate vulnerabilities will be required to mitigate the problem."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...