Paderborn University researchers partner with SAP
Freely available computer programs that every user can download, use, modify, and distribute are known as “open-source software”. The idea is that the collective knowledge of as many people as possible will constantly optimize the programs and help further develop them. They can be accessed in online databases. Nowadays, developers also often use the databases to source individual software modules that they need for a new application, rather than developing them themselves from scratch. For instance, they could use a fully programmed module for their payment processes in an online shop. The problem? Because of the dynamic nature of freely available content, vulnerabilities are constantly popping up in the downloaded modules. Just recently, a security gap in a widely used open-source software program allowed users with criminal intent to insert harmful instructions into the program. If the affected companies had not responded quickly, criminals would have been able to access the servers of internet giants like Apple and Amazon. In order to minimize this risk, researchers from the Department of Computer Science and the Heinz Nixdorf Institute at Paderborn University collaborated on a research project with software company SAP SE. The goal is to develop tools that can identify and eliminate potential vulnerabilities in open-source applications, even with previously inadequate information. The project was launched in September and will run for three years. It is receiving just under 500,000 euros in funding from the German Research Foundation (DFG).
Identifying potential risks even without the source code
The transfer project builds on the work of Collaborative Research Center 901, “On-The-Fly Computing,” in which researchers from Paderborn University have been working since 2011 to automatically configure and provide customized IT services. Now the computer scientists are hoping to transfer techniques from quality control for services to the field of open-source software. “There are already tools that can identify vulnerabilities in open-source software, but only if the source code is available. The source code is written in a programming language that can be read by humans. It must first be translated into machine code by certain programs in order to give the computer the individual instructions,” explains Stefan Schott, a research associate in the “Software Engineering” specialist group led by Prof. Dr. Eric Bodden. Since open-source software is used and further developed in a collaborative way, its exact source code is often not immediately available. When different developers modify it and then translate it to machine code, the human-readable code is lost. Without this information, says Schott, it is not currently possible to identify the origin of the weak points. “The objective of our work is to develop a process chain that allows people to identify, evaluate, and eliminate vulnerabilities in open-source software even without the source code,” says Schott. In addition, the researchers want to explore measures that will minimize weak points and also be effective against as-yet-unknown risks.
A focus on industrial practice
The partnership with SAP SE will foreground the practical use of these newly developed technologies. “The many years of experience and outstanding achievements of Professor Bodden and the ‘Secure Software Engineering’ specialist group in terms of software security create outstanding conditions for the project to be a success,” says Volkmar Lotz, Head of SAP Security Research, with optimism. “We have the right partner on our side, so we can test the effectiveness of our research results in a real-life environment. That is especially important in this project,” concludes Schott.
