Software Security Lab
Why are software systems often insecure? Why is cyber-security a thing? The answers to these questions are more complex than you might expect. The fact remains that building software that is worthy of our trust is very difficult. Moreover as software systems become pervasive and ubiquitous in modern society dealing with the hard questions of cyber-security remains an important concern for the research community. In broad terms there are two main problems — making future software intrinsically trustworthy and improving our trust in existing software.
We are concerned with several aspects of cyber-security:
- Making the design and implementation of programming languages secure by default;
- Demonstrating the insecurity of existing software through software security testing facilitating its repair.
What differentiates the Software Security Lab from other cyber-security labs is our focus on security testing at scale. For example, industrial fuzzing involves testing software using a large amount of cores. How do we make this process as smart as possible? How do we efficiently share information between processes and coordinate the search for bugs? What clever things can you do before you start fuzzing to maximise the bug yield from your campaign? How do you automate the triage thousands of unique crashes from a campaign into a set of useful bug and vulnerability reports? There are many open questions here and fuzzing is only one of many security evaluation techniques.
Software security evaluations are complex and difficult. Until we have useable systems that have formal guarentees of security we need to rely on security testing. We need to make testing as automated, effective and easy as possible to do at scale if our software systems are to be worthy of our trust.
The Software Security Lab holds a fortnightly reading group where we discuss a cyber security research paper over (free) pizza.
Details are as follows:
- When: Every second Wednesday, 12PM (starting 31st July 2019)
- Where: CSIT N224, Computer Systems Area
- Who: Anyone, regardless of their background, with an interest in cyber security (in particular, software security)
To get more information, register on our mailing list.