We live in an age of software problems with catastrophic consequences. An extra goto in Apple’s SSL implementation comprised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem is just a few lines of code and looking for it is like searching for a needle in the haystack. Moreover the problems are often so subtle that it is difficult to tell if the problem is intentionally malicious or an honest mistake. The traditional approach to malware detection fails to detect such catastrophic problems. To make matters worse, the problem can remain dormant and can easily evade testing. The recently exposed Heartbleed problem in OpenSSL has existed since 2011. It is an open challenge to discover these subtle but catastrophic problems in software. In this talk, Iowa State University researchers involved with DARPA’s Automated Program Analysis for Cybersecurity (APAC) project will discuss their approach to address this challenge. This approach enables a unique combination of automated software analysis and human intelligence. The approach will be concretely demonstrated by its use to detect subtle problems in Android applications.
Venue: Derbycon 4.0, Louisville, Kentucky, September 2014.
Authors: Benjamin Holland, Suresh Kothari
Slides (PDF): A_Bug_or_Malware-DERBYCON4.0-slides.pdf