Jones Seminar: Why Johnny and Janie Can’t Code Safely—Bringing Software Assurance to the Masses

Barton Miller, Professor of Computer Sciences, University of Wisconsin-Madison

Friday, May 17, 2019, 3:30–4:30pm

Rm. 100 (Spanos Auditorium), Cummings Hall

While academia and industry are furiously working on techniques to reduce the number of vulnerabilities in software, we continue to get slammed by exploit after exploit. The reasons for this situation are myriad, ranging from lack of training, awareness, and economic incentives on the part of the developers; complex and only partially useful tools from the assurance tool community; legal barriers to transparency in reporting of software problems and describing the quality of software assurance tools; a confusing regulatory landscape with few standards; and a lack of effective curriculum at most universities for students learning software skills.

As a step towards improving the state of software assurance tools in the marketplace and increasing the adoption of software assurance practices by programmers, the U.S. Department of Homeland Security funded a multi-year project to establish the Software Assurance Marketplace (SWAMP). The core service of the SWAMP is an open (free) facility where programmers can bring their software to be run against a large suite of both commercial and open source assessment tools. I will provide a brief description of the SWAMP and how you can use it in your research project, class, or product development.

A further step in software security is conducting in-depth vulnerability assessments. I will describe our more-than-a-decade of experience of developing a methodology for such assessments and conducting many real-world assessments of software systems. Over time, we have reframed the software security problem, influencing the way that we assess systems. In this formulation, we have shifted our focus from protecting the assets or confidentiality of data to the mission continuity (or what the Navy calls “fighting forward”).

As part of this in-depth assessment activity, we have recently moved into an area of critical global security, maritime shipping, and applied our vulnerability assessment techniques to software in that area, resulting in major security improvements to that sector. Global container shipping is responsible for 90% of the world’s commerce and is highly computerized, following a complex network of government and commercial intermediaries. Interrupting service at just one port can cost billions of dollars per day in direct loss. Previously, there have been extensive studies of the risks involved in shipping, but never an actual evaluation of real threats and vulnerabilities. We are the first group to conduct such a vulnerabilities assessment of operational software, resulting in the identification of serious vulnerabilities (a scary situation) and development of remediations for those vulnerabilities (hopefully reducing the fright).

Last, I will discuss some legal hazards that prevent us from reporting many vulnerabilities and, even more problematic, reporting on the quality and capabilities of the commercial assessments tools that we need to help secure our software.

About the Speaker

Barton Miller is the Vilas Distinguished Achievement Professor, and Amar & Belinder Professor of Computer Sciences at the University of Wisconsin-Madison. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility, leads the software assurance effort for the NSF Cybersecurity Center of Excellence (TrustedCI), and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation". Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.

For more information, contact Marge Heggison at marge.heggison@dartmouth.edu.