05 Feb 2019
Will Machine Learning Make Software More Secure?
Software vulnerabilities are very expensive when they're exploited. So is thoroughly analysing software to keep all vulnerabilities out. Widely used applications often have bugs which expose businesses to serious risks. Some of these bugs go undetected for years. Sometimes researchers discover them before anyone can exploit them for their own ends. Sometimes the crooks find them first.
Machine learning for vulnerability detection
Developers have limited time and resources when trying to make applications secure. They can't catch all the potential problems. However, machine learning may shift the balance in their favour. A report by the Defence Science and Technology Group examines the opportunities for using ML to make software safer.
Machine learning detects patterns in data and classifies it accordingly. It uses a variety of methods to spot clusters and outliers, building on previous data. It's divided into supervised learning, where it has outside guidance about classifications, and unsupervised learning, which builds the categories strictly on its own. In this case, the categories are parts of the code which are unlikely to be vulnerable and parts which look questionable.
Applying ML to software can take several approaches. It can analyse the source code, looking for places where it may not be handling inputs correctly. For instance, a function might not consider the possibility of a negative number as input and not have clearly defined behaviour if it gets one. ML analysis can look for code which appears to fall into such categories.
Another approach is to analyse running code. ML can test applications with inputs that stress vulnerable code and report the results. Using both source and runtime analysis will give the best coverage.
People tend to repeat their mistakes. ML tools can use previously discovered vulnerabilities as a guide to finding new ones. If developers have forgotten to consider a condition in one place, they may have done the same more than once.
Fixing vulnerabilities
At first, developers would use these results as a guide. They'd look over code which ML flagged as possibly vulnerable and make the final decision themselves. Some reports will be false positives. A piece of code may look similar to another that has a bug, but it could be completely safe because the context is different. In other cases, a fix is necessary, but the right way to do it isn't obvious.
Eventually, though, ML systems will not only detect vulnerabilities but fix some of them. Automating more of the work will reduce the burden on developers and make code safer. A human reviewer should still have the final say, but in some cases the fix is obvious and machine corrections save effort.
The cybersecurity arms race
The downside is that once ML tools for finding vulnerabilities exist, criminals will get their hands on them. They'll use them to find weaknesses to exploit. Security expert Bruce Schneier has discussed the ramifications of this situation. He believes that in the long run, the tools will make code more secure. He even speculates that vulnerabilities will become a thing of the past.
However, this will happen only after using ML to check software becomes common practice. In the short term, people with malicious goals will use the tools to check existing software, and they will find exploitable bugs faster than ever. This will push developers into using the same tools.
Might this be bad news for open source software? When developers have exclusive access to their own source code, they can run vulnerability tests and others can't. If open-source developers neglect to use these tools to check their own code, anyone else can use them.
But perhaps software safety teams will start running vulnerability crawlers on GitHub and other open-source repositories, finding vulnerabilities and automatically filing bug reports on them. Repositories might start offering this as a service, or even requiring it to protect their own reputation.
It's hard to say how the future will play out. It's certain, though, that these tools will play a major role in the future of cybersecurity. The question is just which side can use them more effectively.
We can help you to make your cybersecurity the best it can be today and keep up with future developers. Contact us to find out how.