Software vulnerabilities - frequent gateways for successful attacks on IT systems

Security breaches cause millions of dollars in damage every year. In addition to industry, public administration, critical infrastructures such as hospitals, and numerous private individuals are also affected. Regular reports of hacker attacks and data leaks have long since become the norm in our networked digital world. Attackers today mostly exploit vulnerabilities and mistakes in the design and implementation of application logic. Standard measures such as firewalls and virus scanners are not sufficient to prevent targeted attacks on gaps in software, as large-scale ransomware attacks have shown.

A wide range of vulnerability classes is known to research as the cause of these gaps, including missing or incorrect authentication, issues with input sanitization, misconfiguration of sensitive APIs such as cryptographic features, insecure backend communication, unclear or improper trust models between components, and many others. Software security, or more precisely: the rapid detection and remediation of such vulnerabilities, is essential to ensure adequate privacy and cybersecurity.

Software systems - complex, multi-layered, vulnerable to attack

Due to the complexity and size of modern software systems, manually verifying their code hasn’t been reasonable long since and is getting increasingly unrealistic. Systems nowadays consist of a large number of individual heterogeneous components that interact through various interfaces, where even the individual components can have hundreds of thousands or even millions of lines of code. Further, especially corporate back office software is usually developed, maintained, and customized over decades with different teams and responsibilities. These products therefore often lack a single, consistent and easily recognizable structure. Therefore, when the system is expanded, it is often built on an existing code base without knowing the original design decisions or reasons and without having direct access to the original developers. Nevertheless, the latest technologies must be integrated and current requirements met.

Finding security vulnerabilities in software - efficiently and automatically

The ATHENE research area AVSV is advancing the state of the art in automatic vulnerability detection. The goal is to provide code analysis tools and techniques that are precise, scalable and that identify the types of vulnerabilities that are missed by current scanners.

Research Goals of AVSV

ATHENE defines the following challenges for an ideal code scanner:

Goal 1

The tool needs to seamlessly blend into existing software development processes, both classic and agile ones. It needs to automatically configure itself based on the input program with as little intervention from the user as possible, including the selection of applicable checks and testing strategies. In case code generation techniques are used, their configurations shall tie into the scanning that happens after the code has been integrated and potentially customized.

Goal 2

The tool must be able to provide as much contextual information about a discovered vulnerability as possible. It shall allow the analyst to precisely assess the impact of the vulnerability on high-level assets, e.g., passwords, or application data. It must allow the developer to find a suitable remedy for the problem.

Goal 3

The reported vulnerabilities must be comprehensible for various stakeholders, including developers and product managers, even without a strong background in IT security.

Goal 4

The tool must be able to analyse heterogeneous software systems that comprise multiple platforms and programming languages, even if multiple components interact through external interfaces such as REST APIs or Android App-to-JavaScript interfaces.

Goal 5

The tool must be efficient and scale to large applications and software systems, i.e., work with reasonable efforts in time and resources (CPU power, memory consumption).

Goal 6

The tool should only report real relevant findings, with as little false positives as possible. It should check which vulnerabilities are likely exploitable and should rank those findings higher along with an explanation on how an attacker could proceed. Therefore, the tool shall attempt to automatically validate its findings through (semi)automated exploitation where possible.

Awards for AVSV researchers

3. place in the Fraunhofer ideas competition »Ramp up Resilience«

For the development of the VUSC code scanner, Dr. Steven Arzt and his colleagues Sebald Ziegler and Marc Miltenberger were awarded with the third place in the Fraunhofer "Ramp up Resilience" ideas competition.The award ceremony took place as part of the Fraunhofer symposium "Netzwert " on March 24, 2021.

More information to the ideas competition.