Government-backed software security study takes off

Computerworld - The Air Force Research Laboratory this week awarded Santa Clara, Calif.-based Network Associates Inc. a $1.8 million contract to support research that may have widespread implications for the future of government and private-sector cybersecurity.
The contract is part of the Software Protection Initiative (SPI), a government program focusing on cutting-edge technologies to protect critical software that supports national and defense capabilities. However, the research being planned for the program could clearly benefit the private sector as well, experts said.
The focus of one research project is to produce a secure development repository with the overall goal of developing information assurance techniques and malicious-code scanning capabilities for software production systems, said Pete Dinsmore, director of research operations at Network Associates Laboratories. These techniques and capabilities will enhance software development security and cut down on software vulnerabilities, he said.
A second project will focus on protecting software from reverse-engineering -- which can be a critical part of the malicious hacker's tool box. Using reverse-engineering techniques, tools such as disassemblers and decompilers can extract and exploit information about the design and operation of software. Researchers from the Air Force and Network Associates plan to study the feasibility of constructing new defenses against reverse-engineering and embedding those defenses in critical software.
"This is cutting-edge," said Dinsmore. "In one case, we're doing research to understand software obfuscation and deobfuscation tools to understand the state of the art in how well a hacker can take apart the software you've created," he said.
"We're also focusing on advancing the state of the art in developing software by developing a secure [change management] repository that can ensure that the code that comes out of the repository only goes to the people it's supposed to go to, and only the code that was supposed to go into [the application] was actually integrated."
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said government funding of this type of research could have a significant spillover effect for the entire software and Internet industry. "Government funding of advanced research on code analysis tools could lead to valuable resources for everyone," he said.
Paller said many advanced hackers no longer study software code. Rather, they rely on automated tools that isolate places in the object code where buffer overflows and similar problems are possible. "Developers should use those same tools first and have access to the most sophisticated tools available to the hackers," said Paller.
Charles Kolodgy, an analyst at IDC in Framingham, Mass., said that while the focuson reverse-engineering is unique, it can be a double-edged sword.
"Many vendor vulnerabilities are discovered by people who take the code apart to look at it," he said.

Read more about security in Computerworld's Security Knowledge Center.