In-Vivo Software Security Analysis at Scale

Objective

Project AT_SCALE will develop the most scalable and reliable techniques for the automatic discovery, diagnosis, and repair of security flaws in software systems to-date. AT_SCALE will make fundamental breakthroughs in empirical methods for reasoning about software systems as they are running in production.

Existing scalable techniques for automatic vulnerability discovery and detection provide unreliable results, which limits their utility and threatens the security of our digital world. Static analysis reasons over a model of software executions; it reports too many bugs that do not exist (false positives) and fails to report those that do (false negatives). Fuzzing reasons over artificial executions and thus misses critical security flaws. Statistical claims about the absence of bugs are fundamentally limited to the set of artificial executions.

These challenges will be effectively tackled by in-vivo software analysis. Our approach is inspired by the in-vivo approach in biology. A biologist studies complex organisms like we study software systems, either by analyzing a model or under artificial lab conditions. Yet, some behavior is difficult to induce artificially. An in-vivo approach allows us to make empirical statements about properties of a system of arbitrary size within its natural environment. However, unlike in biology, we can clone the entire, running system millions of times per second to run as many concurrent experiments with no impact on the original system.

In 2024, the global, annual cost for cybercrime is expected to exceed 10 trillion EUR, highlighting the need for scalable and reliable software security analysis techniques. AT_SCALE will deliver effective technology to fortify Europe’s digital infrastructure against cyberattacks.