Imagine someone handing you a cake — multilayered and chocolatey with vanilla icing — and asking you to figure out the recipe as well as the origin of the ingredients.
Seems like an impossible task, right?
But that process of having the end product and working backward is similar to the research that Assistant Professor Aravind Prakash does with computer software. And yes, it can be as challenging as it sounds.
Prakash — a Department of Computer Science faculty member at Binghamton University’s Thomas J. Watson College of Engineering and Applied Science since 2015 — uses binary analysis techniques to understand the inner workings of a software and to identify potential holes that could let hackers in.
“One problem with software today is having bugs in the programs that can lead to vulnerabilities,” he said. “There is a pressing need for accountability of software that we use. Although we use software by a particular vendor, the actual coding may have been outsourced to a third party, or parts of the code may have been borrowed from open-source projects. When we factor in countries or other actors with a vested interest in intentionally introducing vulnerabilities into software, it becomes extremely important to establish provenance.
“When programmers write code, more often than not they make mistakes — even good programmers do. Modern systems are very complex. There is a lack of clarity with the different layers involved, and that can translate into vulnerabilities and mistakes in code.”
Because defenders often don’t have access to the original source code for proprietary reasons — software companies want to keep their trade secrets, after all — analysis of the industry-mandated application binary interface (ABI) can provide better information for consumers to decide the security of the software.
To further his research, Prakash recently received a five-year, $499,893 National Science Foundation CAREER Award for his project “Binary-Level Security via ABI-Centric Semantic Inference.” The CAREER Award supports early-career faculty who have the potential to serve as academic role models in research and education.
Prakash first became interested in binary analysis while earning his PhD at Syracuse University.
“It is one of the harder topics in computer science,” he said. “You have very little information to go by. In principle, the binary contains all the information a processor needs, but what the processor consumes is very different than what humans can make sense out of. We call this the semantic gap — what raw bytes are actually present versus what they actually mean.”
One reason why security issues can be present in computer code is that software developers are sometimes more focused on completing a project quickly rather than exploring all the possible cracks that can let hackers into a system.
“All in all, the system is not set up to incentivize and promote developer awareness for secure coding,” he said. “When that happens, the onus comes down on the consumer. If I am running a hospital or university and I’m in charge of deciding what software goes on my systems, it becomes my responsibility to secure my property, infrastructure and data. Passing the buck on to the software vendor is simply not an option.”
Binary analysis also can be an important tool to help customers when they want vendors to add a new functionality to existing software.
“A developer often has to decide: Is this new functionality going to help all of my other customers, and is it worth the money I put in to develop this functionality?” he said. “They may or may not oblige the request. So the choice for the customer becomes difficult: Do you move to another vendor because the software does not have this functionality? Can you do without it? Or can you do something where you get that functionality for yourself despite having a software vendor that is not willing to implement it?
“These problems become more pronounced when you have software that’s been running 20 or 30 years. You may not even have the source code, and you realize you need to change something.”
Receiving a CAREER Award is “a very, very humbling experience,” Prakash said. “When you have an organization such as the NSF recognize your research and show some trust and confidence in the work that you do, it’s an encouragement to pursue research along the path that you’ve taken. I’m very grateful.”
“Binary-Level Security via ABI-Centric Semantic Inference” is NSF award #2047205.