As computing devices become more pervasive, the software systems that control them have become increasingly more complex and sophisticated. Consequently, despite the tremendous resources devoted to making software more robust and resilient, ensuring that programs are correct—especially at scale—remains a difficult and challenging endeavor. Unfortunately, uncaught errors triggered during program execution can lead to potentially crippling security violations, unexpected runtime failure or unintended behavior, all of which can have profound negative consequences on economic productivity, reliability of mission-critical systems, and correct operation of important and sensitive cyber infrastructure. Insecure software can result from insufficient testing, inexperienced coders who lack cybersecurity training, or financial incentives that reward writing and distributing code quickly rather than eliminating security flaws.
Military systems have become critically dependent on software reliability because growing software-enabled systems and components. In addition, software is now embedded in the cyberspace domain that enables defense military, intelligence, and business operations. Furthermore, embedded software has become an essential feature of virtually all hardware systems. This necessitates assessing system reliability through a holistic accounting of hardware, software, operator and their interdependencies.
DARPA’s MUSE program
To help overcome these challenges, DARPA has created the Mining and Understanding Software Enclaves (MUSE) program. MUSE seeks to make significant advances in the way software is built, debugged, verified, maintained and understood. Central to its approach is the creation of a community infrastructure built around a large, diverse and evolving corpus of software drawn from the hundreds of billions of lines of open source code available today.The code repository is being built in another DARPA program “Mining and Understanding Software Enclaves (MUSE)”, whose aim is to scan billions of open-source code, and create databases of code properties, vulnerabilities and behaviors.
Draper is developing DeepCode under DARPA’s MUSE program. “Draper is applying big-data analytics to automatically discover software vulnerabilities,” said Draper President and CEO Kaigham J. Gabriel. DeepCode will examine terabytes of open-source software and by using machine learning and pattern analysis techniques, researchers hope that DeepCode will learn what good code and bad code looks like. Once the system is trained to recognize vulnerabilities, DeepCode will analyze new and existing software projects (both binary and source), automatically identify flawed program segments, and recommend code repairs to replace the vulnerable software components with more secure versions,”
This program represents the first time deep learning techniques, a set of algorithms that enable software to mimic the human brain’s ability to recognize patterns, being applied to analyze software structure and semantic content. In an earlier study, Draper’s DeepCode team used deep learning analytics to successfully identify synthetic Advanced Persistent Threats from within large volumes of otherwise benign network traffic.
Vulnerabilities manifest when implementations do not conform to design. Determining program correctness thus fundamentally requires a precise understanding of a program’s intended behavior, and a means to convey this understanding unambiguously in a form suitable for automated inspection. Having useful, comprehensible and efficiently checkable program specifications is therefore critical for gaining high assurance and confidence of complex software systems, says DARPA. Often, however, the behaviors exposed by a program’s implementation do not match those defined by the program’s specification, in large part because the task of writing useful, correct and efficiently checkable specifications is often as hard as the task of writing the implementations that purport to satisfy it.
An integral part of the envisioned infrastructure would be a continuously operational specification mining engine. This engine would leverage deep program analyses and foundational ideas underlying big data analytics to populate and refine a database containing inferences about useful properties, behaviors and vulnerabilities of the program components in the corpus. The collective knowledge gleaned from this effort would facilitate new mechanisms for dramatically improving software reliability, and help develop radically different approaches for automatically constructing and repairing complex software.
Among the many envisioned benefits of the program are scalable automated mechanisms to identify and repair program errors, and specification-based tools to create and synthesize new, custom programs from existing corpus elements based on properties discovered from this mining activity.
DARPA’s PLINY program
DARPA (Defense Advanced Research Projects Agency) has provided four year $11 million dollar grant to University of Texas at Austin, University of Wisconsin-Madison (UW-Madison), and Rice University to develop Pliny system whose goal is to make future code more secure and less buggy.Pliny can flag areas of a code that differ from its billions of lines of code repository.By highlighting such regions, Pliny will help software engineers make an informed decision whether to fix or keep the differing code, Alternatively, it can act as an autocomplete and/or autocorrect system by finding code in the repository that will best fit the gaps in the program.
“Software today is far more complex than it was 20 years ago, yet it is still largely created by hand, one line of code at a time,” said co-PI Swarat Chaudhuri, assistant professor of computer science at Rice. “We envision a system where the programmer writes a few of lines of code, hits a button and the rest of the code appears. And not only that, the rest of the code should work seamlessly with the code that’s already been written.”
“Imagine the power of having all the code that has ever been written in the past available to programmers at their fingertips as they write new code or fix old code,” said Vivek Sarkar, Rice’s E.D. Butcher Chair in Engineering, chair of the Department of Computer Science and the principal investigator (PI) on the PLINY project. “You can think of this as autocomplete for code, but in a far more sophisticated way.” The core of the system will be a data-mining engine that continuously scans the massive repository of open-source code. The engine will leverage the latest techniques in deep program analyses and big-data analytics to populate and refine a database that can be queried whenever a programmer needs help finishing or debugging a piece of code.
“The engine will formulate answers using Bayesian statistics,” said co-PI Chris Jermaine, associate professor of computer science at Rice. “Much like today’s spell-correction algorithms, it will deliver the most probable solution first, but programmers will be able to cycle through possible solutions if the first answer is incorrect.” PLINY is part of DARPA’s Mining and Understanding Software Enclaves (MUSE) program, an initiative that seeks to gather hundreds of billions of lines of publicly available open-source computer code and to mine that code to create a searchable database of properties, behaviors and vulnerabilities
References and Resources also include: