91社区

November 12, 2024
clear sky Clear 32 °F

Binary analysis research gets NSF CAREER Award funding

Assistant professor works backward to improve software security when coding is unavailable

Assistant Professor Aravind Prakash from the Department of Computer Science at 91社区鈥檚 Thomas J. Watson College of Engineering and Applied Science. Assistant Professor Aravind Prakash from the Department of Computer Science at 91社区鈥檚 Thomas J. Watson College of Engineering and Applied Science.
Assistant Professor Aravind Prakash from the Department of Computer Science at 91社区鈥檚 Thomas J. Watson College of Engineering and Applied Science. Image Credit: Jonathan Cohen.

Imagine someone handing you a cake 鈥 multilayered and chocolatey with vanilla icing 鈥 and asking you to figure out the recipe as well as the origin of the ingredients.

Seems like an impossible task, right?

But that process of having the end product and working backward is similar to the research that Assistant Professor Aravind Prakash does with computer software. And yes, it can be as challenging as it sounds.

Prakash 鈥 a Department of Computer Science faculty member at 91社区鈥檚 Thomas J. Watson College of Engineering and Applied Science since 2015 鈥 uses binary analysis techniques to understand the inner workings of a software and to identify potential holes that could let hackers in.

鈥淥ne problem with software today is having bugs in the programs that can lead to vulnerabilities,鈥 he said. 鈥淭here is a pressing need for accountability of software that we use. Although we use software by a particular vendor, the actual coding may have been outsourced to a third party, or parts of the code may have been borrowed from open-source projects. When we factor in countries or other actors with a vested interest in intentionally introducing vulnerabilities into software, it becomes extremely important to establish provenance.

鈥淲hen programmers write code, more often than not they make mistakes 鈥 even good programmers do. Modern systems are very complex. There is a lack of clarity with the different layers involved, and that can translate into vulnerabilities and mistakes in code.鈥

Because defenders often don鈥檛 have access to the original source code for proprietary reasons 鈥 software companies want to keep their trade secrets, after all 鈥 analysis of the industry-mandated application binary interface (ABI) can provide better information for consumers to decide the security of the software.

To further his research, Prakash recently received a five-year, $499,893 National Science Foundation CAREER Award for his project The CAREER Award supports early-career faculty who have the potential to serve as academic role models in research and education.

Prakash first became interested in binary analysis while earning his PhD at Syracuse University.

鈥淚t is one of the harder topics in computer science,鈥 he said. 鈥淵ou have very little information to go by. In principle, the binary contains all the information a processor needs, but what the processor consumes is very different than what humans can make sense out of. We call this the semantic gap 鈥 what raw bytes are actually present versus what they actually mean.鈥

One reason why security issues can be present in computer code is that software developers are sometimes more focused on completing a project quickly rather than exploring all the possible cracks that can let hackers into a system.

鈥淎ll in all, the system is not set up to incentivize and promote developer awareness for secure coding,鈥 he said. 鈥淲hen that happens, the onus comes down on the consumer. If I am running a hospital or university and I鈥檓 in charge of deciding what software goes on my systems, it becomes my responsibility to secure my property, infrastructure and data. Passing the buck on to the software vendor is simply not an option.鈥

Binary analysis also can be an important tool to help customers when they want vendors to add a new functionality to existing software.

鈥淎 developer often has to decide: Is this new functionality going to help all of my other customers, and is it worth the money I put in to develop this functionality?鈥 he said. 鈥淭hey may or may not oblige the request. So the choice for the customer becomes difficult: Do you move to another vendor because the software does not have this functionality? Can you do without it? Or can you do something where you get that functionality for yourself despite having a software vendor that is not willing to implement it?

鈥淭hese problems become more pronounced when you have software that鈥檚 been running 20 or 30 years. You may not even have the source code, and you realize you need to change something.鈥

Receiving a CAREER Award is 鈥渁 very, very humbling experience,鈥 Prakash said. 鈥淲hen you have an organization such as the NSF recognize your research and show some trust and confidence in the work that you do, it鈥檚 an encouragement to pursue research along the path that you鈥檝e taken. I鈥檓 very grateful.鈥

鈥淏inary-Level Security via ABI-Centric Semantic Inference鈥 is .