Institute for CyberScience co-hire hunts security flaws in software

UNIVERSITY PARK, pa. — Whether someone is streaming an episode of their favorite show on their laptop or banking online, software systems are unavoidable. While the use of software has grown dramatically over the past two decades, these systems are not always secure.

Gang Tan sits at his desk gazing at his computer, deeply involved in his work. An associate professor for the department of computer science and engineering and an Institute for CyberScience (ICS) co-hire, Tan spends his time researching software issues within systems such as web browsers, web servers and operating systems that can compromise user security.

“Anyone who uses a computer can be affected by software bugs. An old 2002 study estimated that buggy software costs $60 billion annually,” Tan said.

The price of buggy software is considerably higher now than it was in 2002. A 2016 study by the Austrian software testing firm Tricentis estimates the expenses are now $1.1 trillion. These errors can affect various government organizations or industries such as the automotive, aerospace, and financial sectors. To avoid these expensive problems and improve security, detection of errors is pertinent.

Utilizing high-performance computing, Tan and his colleagues at the Security of Software lab are constructing tools to lessen the impact of software errors in society.

Bugging out

“People demand new features from software systems to be added instantaneously with a fancy user interface, but there is no way to build correct systems automatically. This is where human error comes into play,” Tan said. “Software engineers have to build these systems, so the process is error-prone.”

Bugs — errors, failures or faults in code — can cause a computer program or system to produce an incorrect or unanticipated result, or to perform in unintentional ways.

Tan asserted that software engineers are bound to make mistakes. On average, he said, there is one bug for every 1,000 lines of code. Programmers test the behavior of their code, but even extensive testing can’t get rid of all the bugs.

Some bugs aren’t so serious and will simply cause a computer to crash, which can be fixed by rebooting the machine or the program. However, other bugs are critical because they allow malicious users to access personal information.

Take a browser, for example. When most people log into their email, they can see just their own messages. Only certain admin accounts can log into the email system and see all user information within the database.

“The problem can begin when the browser forgets to authenticate the user,” Tan said. “Some bugs may allow malicious users to bypass memory protection and log in as an admin user, which can permit them to access sensitive memory.”

A prominent case occurred in September 2017 when Equifax, a major credit reporting agency, was breached. Hackers were able to access the data of about 143 million Americans, including personally identifiable information such as Social Security numbers and driver’s license numbers.

Researchers can either employ dynamic testing or static analysis when trying to find errors, said Tan. For example, dynamic testing consists of executing programs and trying to find any possible errors while it is running, whereas static program analysis typically involves examining the source code for errors without running the program.

While useful, dynamic testing does not account for all situations that a user may encounter, which can allow bugs to hide in untested parts of code, said Tan. Oftentimes software bugs are not fixed before being released into the public. Rather, companies will release updates or patches later on.

Utilizing static analysis, Tan’s research aims to make software systems more secure by finding as many bugs as possible in software programs — bugs that dynamic testing might not uncover.

“Our tools take in a source code to abstract it, analyze it, and alert us to any potential errors or issues within the code that need to be reviewed,” Tan said. “Microsoft has adopted some static analysis methods, but it is still not as well-known as dynamic testing.”

When analyzing these massive amounts of code, Tan requires significant computational power. ICS provides access to the Advanced CyberInfrastructure (ICS-ACI) high-performance research cloud to Tan and other computation-enabled researchers at Penn State.  

His main focus is on the detection of the errors. Using Tan’s tools, software engineers are more likely to find errors and fix them before they are released.

“The biggest challenge I face is trying to engineer a system that is very efficient,” Tan said. “Any security program in the industry that slows down software by more than five percent will not be used.”

Tan asserted that we still lack the resources to understand how software will behave in every possible situation. This means that we can’t have total confidence in software security, he said.

“Currently, we build software but don’t have confidence in how it will run,” Tan said. “In an ideal world, we would know how it runs and where its weaknesses lie, along with its behaviors. We are working towards having a complete map.”

Tech wiz

Tan hasn’t always researched security, but computers have always been a part of his life.

Tan’s appreciation for computers and computer science began at a young age. He enjoyed computers so much that he joined a computer interest group when he was in middle school.

Computer science came naturally for him, Tan said. Throughout high school, he spent his spare time entering programming competitions. Tan’s successful competing record led to his national entrance exam for university being waived.

He received his bachelor's degree with honors from Tsinghua University in 1999, his master's from Princeton University in 2001, and his doctorate from Princeton in 2005, all in computer science.

Tan said it was when he became a faculty member that he realized the security domain had a lot of problems requiring solutions. He and his team enjoy their work because they are helping defend computer systems by designing software error detection, and in doing so, they are making a real-world impact.

“When it comes to technology, you make the universe and its laws because it is man-made. With other areas, such as physics, the laws are already made and you are trying to understand them. With computer science, you are only constrained by the hardware,” Tan said. “It is a fast-evolving field. Due to rapid changes, I need to learn new things, which I find very exciting.”

Media Contacts: 

Julian Fung

Work Phone: 

Technical Communications Specialist, Institute for CyberScience

Last Updated April 12, 2018