Paderborn scientists cooperate with SAP

Freely accessible computer programs that any user can download, use, modify and distribute - this is the idea behind so-called "open-source software". The collective knowledge of as many people as possible is used to continuously optimize and develop the programs. They can be accessed in web-based databases. Developers now often use this service to obtain individual software modules that they need for a new application from the database instead of developing them themselves from scratch. For example, they can use a pre-programmed module for the payment process in an online store in this way. The problem with this is that the dynamic nature of freely accessible content means that vulnerabilities repeatedly occur in the modules used. Only recently, a security hole in a widely used open-source software led to users with criminal intentions injecting malicious instructions into the program. If the affected companies had not reacted quickly enough, criminals could have gained access to the servers of Internet giants such as Apple or Amazon. To minimize this risk, scientists from the Institute of Computer Science and the Heinz Nixdorf Institute at the University of Paderborn have joined forces with the software company SAP SE for a research project. The goal is to develop tools that can detect and remove possible vulnerabilities in open-source applications even with previously insufficient information. The project, which will run for three years, was launched in September. It is funded by the German Research Foundation (DFG) with almost 500,000 euros.

Identifying potential risks even without source code

The transfer project builds on the work of the Collaborative Research Center 901 "On-The-Fly Computing", in which scientists at the University of Paderborn have been researching the automatic configuration and provision of individual IT services since 2011. Now the computer scientists want to transfer techniques from the quality control of services to the handling of freely accessible software. "There are already tools that can detect vulnerabilities in open-source software, but only if the so-called 'source code' is available. This is written in a programming language that can be read by humans. It must first be translated into machine code by certain programs in order to transmit the individual instructions to the computer," explains Stefan Schott, a research associate in the Secure Software Engineering group headed by Prof. Dr. Eric Bodden. Since open-source software is used and developed collaboratively, its exact source code is often not directly available. When different developers edit it and then translate it into machine code, the human-readable code is lost. Without this information, Schott says it is currently impossible to identify the origin of the attack points. "The goal of our work is to develop a process chain that makes it possible to detect, evaluate and remove vulnerabilities in open-source software even without the source code," Schott said. In addition, the scientists* want to research measures that minimize attack surfaces and are also effective in the case of still unknown risks.

Focus on industrial practice

Through the cooperation with SAP SE, the focus will be on the practical application of the newly developed techniques. "The many years of experience and the outstanding achievements of Professor Bodden and the specialist group 'Secure Software Engineering' in the field of software security offer excellent conditions for the success of the project," says Volkmar Lotz, Head of SAP Security Research, confidently. "We have the right partner at our side to test the effectiveness of our research results in a real environment. This is particularly important to us in this project," Schott concludes.