US software security study takes off

The Air Force Research Laboratory has awarded Network Associates with a $1.8m (£1.13m) contract to support research that may have...

The Air Force Research Laboratory has awarded Network Associates with a $1.8m (£1.13m) contract to support research that may have widespread implications for the future of government and private sector cybersecurity.

The contract is part of the Software Protection Initiative (SPI), a government programme focusing on cutting-edge technologies to protect critical software that supports national and defence capabilities.

The research being planned for the programme is also likely to benefit the private sector.

The focus of one research project is to produce a secure development repository with the aim of developing information assurance techniques and malicious code-scanning capabilities for software production systems, said Pete Dinsmore, director of research operations at Network Associates Laboratories.

A second project will focus on protecting software from reverse engineering, which can be a critical weapon in the malicious hacker's arsenal. Using reverse-engineering techniques, tools such as disassemblers and decompilers can extract and exploit information about the design and operation of software.

Researchers from the Air Force and Network Associates plan to study the feasibility of constructing new defences against reverse engineering and embedding those defences in critical software.

"This is cutting-edge," said Dinsmore. "We're doing research to understand software obfuscation and de-obfuscation tools to understand how well a hacker can take apart the software you've created," he said.

"We're also developing a secure [change management] repository that can ensure that the code that comes out of the repository only goes to the people it's supposed to go to."

Alan Paller, director of research at the SANS Institute, said government funding of this type of research could have a significant spillover effect for the entire software and Internet industry. "Government funding of advanced research on code analysis tools could lead to valuable resources for everyone," he said.

Paller said many advanced hackers no longer study software code. Rather, they rely on automated tools that isolate places in the object code where buffer overflows and similar problems are possible. "Developers should use those same tools first and have access to the most sophisticated tools available to the hackers," said Paller.

IDC analyst Charles Kolodgy said that while the focus on reverse engineering was unique, it could be a double-edged sword.

"Many vendor vulnerabilities are discovered by people who take the code apart to look at it," he said.

Read more on Business applications