Software development is a complex and manual process, in part because typical software programs contain more than hundreds of thousands lines of computer code. If software programmers fail to perform critical checks in that code, such as making sure a user is authorized to update an account, serious security compromises ensue. Indeed, vulnerable software is one of the leading causes of cyber security problems. Checking for security problems is very expensive because it requires examining computer code for security mistakes, and such a process requires significant manual effort. This research project aims at developing an interactive help system to warn software programmers about potential security mistakes, similar to the way modern word processors warn writers of spelling and grammar errors. This is likely lead to new functions for software development tools that will significantly reduce security vulnerabilities in software.
The research is based on the concept of interactive static analysis, a novel mixed-initiative paradigm for interacting with programmers to aid in the detection and prevention of security vulnerabilities. Static analysis is seamlessly integrated into the development environment in such a way that programmers are not required to learn additional programming language and analysis concepts beyond the use of the development environment. Static analysis is performed in the context of development, allowing programmers to utilize and influence such analysis during their program construction. The goals of this research are to bring programmers into the security loop, improving their ability to detect, understand, and prevent vulnerabilities; and utilize the programmer's contextual knowledge to drive customized static analysis, detecting software vulnerabilities that are difficult to detect using current static analysis techniques.
