image title

Addressing software bugs

September 27, 2021

ASU tackles the problem of fixing software vulnerabilities through micropatching

From the recent Facebook data breach of over 500 million accounts, to stories of hackers getting into family homes through baby monitors, we are constantly bombarded by headlines of hackers taking advantage of security vulnerabilities in the software we use every day.

The truth is, humans create software, and humans are imperfect. Sometimes developers accidentally introduce a bug that leaves the software vulnerable to attacks. As soon as a company or software developer discovers a vulnerability that could harm the user or leak data, the critical solution is to provide a fix as soon as possible. This is where patching comes in.

Patching can be thought of as a fix for a computer software or program, kind of like duct tape around a loose wire to prevent wiggling. We are all familiar with the alerts on our devices from Apple or Microsoft asking us to update our systems. One of the best things the user can do is to install those updates as soon as possible, protecting against those known vulnerabilities. There are helpful mechanisms in place, such as automatic software updates — an automated safety feature on most commonly used internet browsers.

However, software updates are not the only solution needed.

“What happens if the software company no longer exists? How and who can fix those bugs?” asks Adam Doupé, director of the Center for Cybersecurity and Digital Forensics, part of the Global Security Initiative at Arizona State University. “What if the company goes bankrupt and somebody finds a bug — a vulnerability that allows a remote hacker to have access to your system? How do we actually fix those problems?”

ASU is tackling this problem through a four-year Defense Advanced Research Projects Agency (DARPA) contract awarded to center, which is contributing research and development efforts to the Assured Micropatching program (AMP). We spoke to Doupé about the importance of this research and the impact it provides.

What is a micropatch?

A micropatch is a small patch that fixes one vulnerability without jeopardizing functionality.

“The goal of a micropatch is to figure out how to reduce the size of the patch so that we change few parts of the program,” says Doupé, who is also an associate professor in ASU’s School of Computing and Augmented Intelligence. “Ultimately, we want to increase our confidence that we will not break the functionality of the application — the less you change, the less you have to worry about in terms of collateral damage.”

What is the Center for Cybersecurity and Digital Forensics bringing to the table?

The center has put together VOLT (a Viscous, Orchestrated Lifting and Translation framework), which aims to reverse engineer the software it is applied to so that efficient and effective patches can be created.

“I have worked on software reverse engineering for over 10 years, and much to my surprise, no one has created techniques to make effortless binary patching possible,” says Ruoyu (Fish) Wang, the lead project investigator of the Assured Micropatching project. “Our VOLT framework, upon success, will be the first of its kind that enables easy bug fixing on deployed software. This capability will mean a lot to both industry and national security. We really appreciate DARPA’s interest in supporting our research on this front.”

One of the core strengths of the Center for Cybersecurity and Digital Forensics is “angr” — an open-source framework created and founded by core center researchers Yan Shoshitaishvili and Wang, with the goal of analyzing binary code to learn about what the program it’s being applied to does. Yan and Wang will lead a team of researchers to significantly improve the state of the art of binary decompilation techniques (transforming a binary program back into readable and understandable source code). As the technical foundation of VOLT, these techniques will enable sound and faithful translation between binary code and their corresponding decompilation output.” 

"The ‘angr’ framework enables us to perform 'binary analysis,' which is able to take the ones and zeros of a binary program and allows us to make sense of what the program does,” says Doupé. “On HACCS (Harnessing Autonomy for Countering Cyberadversary Systems), an additional DARPA program we’re involved with, we use 'angr' to automatically identify and exploit bugs in a binary program.

How can this improve defense in the United States?

Imagine this scenario: A modern warfare vehicle, like a tank, has software that runs a vast number of components — from movement mechanisms and the speed of the tread to directional navigation and targeting technology.

“We would not want a security vulnerability that exists (for example) in the wireless communications that allows someone to jam or shut down your systems,” says Doupé. “In this context, it would be very impactful if the tanks were all down while systems reboot. It’s frustrating enough in our everyday lives, let alone within the setting of warfare — it could be catastrophic.

“Governments buy these systems and related software, procure contracts with various companies that build those binary systems to specification and run them. However, even if the government gains access to the source code, they may not have the tool chain of how to build and recompile them. The goal of AMP is to completely automate this process, through mathematical proofs and testing.”

Another challenge from a security perspective is that some control systems run on Windows '98, a software which hasn’t been updated in over a decade. The operating system has accrued a vast history of vulnerabilities and known exploits, which then creates difficulties when securing the system.

On a national level, the Department of Defense is very interested in this type of research.

“The DOD has a lot of manpower that they can direct at a problem, but the flipside is understanding what kind of things they don’t necessarily have power over,” says Doupé. “The key to addressing any security problem is, once identified, you need to actually act on it. One of the key concepts of security is if you find something, you should assume that someone else — say, your adversary — can find it as well.”

What is the problem and the solution?

In general, software and device manufacturers do a good job of fixing problems as they come up, but there are areas where consumers are more vulnerable.

Under DARPA Assured Micropatching, the Center for Cybersecurity and Digital Forensics team is developing new automated methods for “understanding” the machine-readable form of software, reversing the translation process, and generating human-readable source code. They can then repair small segments of code, retranslate the repaired segments and integrate them back into the deployed software. This will allow the team to address security issues in deployed mission-critical software in a timely, cost-effective and scalable manner.

“Operating systems, cellphones, web browsers — all typically have very good systems for pushing out patches, as everyone understands the security importance,” says Doupé. “Phones are another great example where companies are efficient with deploying fixes. Yes, you may be unable to use your phone for a short while, but it’s really important to keep it up to date.”

But not all fixes come to your attention, and not all of them are in your control. For example, when was the last time you updated your Wi-Fi router for security vulnerabilities? And what if a vendor of a product you use through Wi-Fi no longer supports your router anymore? This puts you in a difficult position because you cannot personally apply a fix.

“Ultimately, there should be changes at the policy level to handle cases of companies willingly selling a system that has known security vulnerabilities. They should not have the choice to simply not update software,” says Doupé. “Regulators and policymakers should be thinking about the exact aspect of companies going bankrupt, or no longer supporting the security updates on people’s devices.

“It’s worse from a security perspective if the device works but never receives updates, especially home-based devices that connect to other systems. From the individual level, it’s difficult. My recommendation is to enable automatic updates on every system possible, thus doing your bit for cyber hygiene.

“The unfortunate thing here is that this puts more burden on the consumer to do that research.”

Oliver Dean

Communications Specialist , Global Security Initiative

480-727-4419

Late professor’s legacy remembered with memorial, exhibit

David William Foster was a Regents Professor of Spanish and women and gender studies


September 27, 2021

The School of International Letters and Cultures recently held a memorial in honor of David William Foster, a Regents Professor of Spanish and women and gender studies who died last year at the age of 79.  

Foster joined Arizona State University 55 years ago and helped build the Spanish and Portuguese programs that are now housed in the School of International Letters and Cultures. Over the course of his career, he published more than 50 book-length, single-authored critical studies, bibliographies and anthologies, and over 35 edited and co-edited anthologies.  A small crowd of professors, alumni and other members of the ASU community sit at round tables facing a screen hanging on the wall. A person stands at a lectern in front of the screen. The School of International Letters and Cultures recently held a memorial in honor of David William Foster, a Regents Professor of Spanish and women and gender studies who passed away last year at the age of 79. Download Full Image

The memorial in Old Main on the Tempe campus, held the day before what would have been Foster’s 81st birthday, had in-person attendees and was also livestreamed on the school's YouTube channel. Remembrances from Foster’s former colleagues and students continued after the event concluded as members of the school community shared stories of the beloved professor.  

“The memorial for David was a great success,” Spanish Professor Carmen Urioste-Azcorra said. “It served as a homecoming for many doctoral students who worked with David since the early '70s, and we had presentations and messages from three different Latin American countries that David knew very well: Mexico, Brazil and Argentina.” 

Edurne Beltrán de Heredia Carmona, an assistant professor at Coastal Carolina University in South Carolina, worked closely with Foster during her Spanish PhD studies at ASU. Beltrán graduated from ASU in summer 2021.  

“Working with Dr. Foster meant always having a second opportunity for everything (and a third one, too),” Beltrán said. “I will always remember what he told me the last time we met in person: ‘Always stay by the side of your students and support them, even when you know they aren’t always right.’” 

An exhibit celebrating Foster’s life and career is now open in the lobby of Hayden Library. The exhibit includes a short biography of Foster, shelves of books he wrote and other texts relevant to his studies and photographs from his life. It features furniture like a desk and several chairs along with potted plants to make students feel at home and replicate “the unique experience of working with him in his office,” said Seonaid Valiant, curator for Latin American studies at the ASU Library.  

The walls of Foster’s office were covered in posters, and he had numerous bookcases placed back to back and packed full of books, Valiant said. The exhibit is designed to mimic the atmosphere of his office, a place of deep thinking that reflected the personality of the man who occupied it.  

The exhibit “helps all visitors visualize David at work: His desk — like the one in the library — was always perfectly organized, and the office walls were covered with pictures and film posters,” Urioste-Azcorra said. “By virtue of his immense critical production, he was a strong magnet for prospective students. He always had an open-door office policy that made him easily accessible for everybody.” 

Beltrán echoed this experience of feeling welcome in Foster’s office at any time. 

“One of the things from Dr. Foster that will always stay with me is the supportive attitude that he always offered to each and every student,” she said. “Countless times we would walk into his office with all kinds of problems or issues, he would listen carefully and offer a quick, easy solution for us, followed by a funny joke that would make us leave his office motivated.” 

Students, faculty, staff and other members of the greater ASU community can view the exhibit during library hours now through Dec. 1. 

The memorial and library exhibit are just two examples of the many ways ASU is continuing to celebrate Foster’s legacy. The ASU Library has also acquired the David William Foster Papers, Valiant said. They are currently processing 27 boxes of his research material on cultural studies in Latin America. 

Donations are being accepted for the Foster Latin American Research Fellowship Endowment, which supports graduate students completing work in Latin American studies with funding for their travel, housing and other expenses while they conduct research beyond ASU. 

A student lounge was dedicated in Foster’s name in the new Durham Hall building, which houses the School of International Letters and Cultures. And next fall, the inaugural David William Foster Memorial Lecture will be held thanks to a generous donation from his wife, Virginia Ramos Foster.  

“David was an extraordinary human being and scholar, a real mensch with an outstanding mind,” school Director Nina Berman said. “He built and put the Spanish and Portuguese section at ASU on the map, and we are excited that we are able to honor his legacy.”

Kimberly Koerth

Content Writer, School of International Letters and Cultures