UIC to lead $3M initiative to develop system to identify, patch software security holes
The University of Illinois at Chicago will lead a $3 million project funded by the Defense Advanced Research Projects Agency to design, develop and evaluate a system that will identify security vulnerabilities in web software. UIC will receive $1.4 million of the funding, and the rest will support co-investigators at the University of Texas at Dallas and The Johns Hopkins University. The system will spot security weaknesses in the millions – sometimes billions – of lines of code that run websites including banking and online shopping which are attractive to hackers.
Once identified by the system, called GAMEPLAY (for Graph Analysis for Mechanized Exploit-generation and vulnerability Patching Leveraging human Assistance for improved Yield), the vulnerabilities will be automatically probed to determine whether they really could be leveraged by hackers. GAMEPLAY will then generate patches for these vulnerabilities, known as “exploits” to computer scientists.
“GAMEPLAY addresses a pressing need in both government and industry for more rapid vulnerability identification and patching response strategies that can scale with the increasing speed and scope of modern cyber-warfare campaigns that target networked software,” said Venkat Venkatakrishnan, professor of computer science in the UIC College of Engineering and principal investigator on the grant.
“GAMEPLAY is intended to be used by cybersecurity analysts, software developers and other professionals interested in identifying ‘exploits’ in software. It will run, for the most part, on its own but when an issue arises where a decision needs to be made, then a human will provide input to guide the system.”
Venkatakrishnan says that systems to scan and analyze code exist, but they can be expensive and may not provide total assurance because code is exceedingly complex and scanning it thoroughly presents a huge computational problem. GAMEPLAY will get around these issues by allowing for human input as the system runs.
“We want to create a system that allows software developers and security experts to be proactive by building a tool that will let them scan for potential problems in code that could provide an opening for hackers before the hackers have a chance to find the weaknesses themselves,” Venkatakrishnan said.
The system will be designed to be able to evaluate software written in several computer languages, including C, Python and JavaScript.
“GAMEPLAY will be built on a language-agnostic platform extensible to multiple computer languages,” Venkatakrishnan said.
The UIC team will be joined by computer scientists from Johns Hopkins and the University of Texas at Dallas to develop GAMEPLAY for these different computer languages.
The project will also include students at the graduate and undergraduate level who will have a chance to take part in constructing GAMEPLAY while learning about state-of-the-art digital security tools.
“The GAMEPLAY project will be rolled into several student classes on code analysis and vulnerability identification,” said Rigel Gjomemo, research assistant professor of computer science and associate director of UIC’s Electronic Security and Privacy: Technological, Human, Enterprise and Legal Considerations program. “Students may also participate in hacking competitions using what they’ve learned in these classes, giving them experience that they can bring to their future employers in the cybersecurity field.”