Tech giant Oracle backs NZ bug-detecting study

Oracle has gifted Massey University's Associate Professor Jens Dietrich $60,000 to seek out bugs and security weaknesses in Java. Photo / Supplied

Tech giant Oracle has funded a bug-hunting Kiwi project targeting one of the world's most widely used programming languages.

The California-based corporation has gifted Massey University's Associate Professor Jens Dietrich $60,000 to seek out bugs and security weaknesses in Java, which is operated in 15 billion devices around the world in everything from Netflix and Android mobile apps to complex financial programs used by large companies.

When it comes to problems in the software, traditionally companies have worked on them and kept the solutions to themselves - but Oracle plans to share any that Dietrich discovers.

By allowing researchers to disseminate findings in journals, Dietrich said, other companies can use the information, meaning the problem is fixed in a smaller amount of time and firms save money by cutting out the commercialisation aspect.

"They need the tools, so they have found a way to get them faster and cheaper, which benefits everyone from the company to the consumer."

Dietrich has received close to $200,000 in grants from Oracle over his years working with Oracle.

"The security of our data on these web applications is a company's top priority, as they are often dealing with very sensitive information," he said.

"They use Java because it has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise.

"Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated.

"Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design."

His work focuses on modelling software as graphs which may be able to pinpoint what function in the software could be exploited.

This approach has been tried before, but existing research failed to produce algorithms that can deal with the complexity and size of real-world programs.

In 2015, Dietrich and Australian collaborators invented a novel algorithm to overcome these limitations.

He is now working on expanding this research to reduce the number of false alarms the algorithm may produce, and to use it on some of the largest enterprise-level programs in use.

"New Zealand companies could learn a lot from what companies like Oracle are doing.

"This isn't a contract, it's a gift in support of academic research that gives the researcher a significant amount of freedom.

"It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed."

Dietrich is also working on a new, more fundamental question - how to predict program behaviour.

His project proposal on "closing the gaps in static program analysis" was accepted as one of the SEED projects of the Science for Technological Innovation National Science Challenge last month.

"The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them.

"This could then be used to design completely different tools.

"For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications."