Story image

Oracle's $60,000 gift to Kiwi bug researcher about sharing knowledge with the world

29 Aug 2017

Oracle has given one Massey University researcher US$44,000 (NZ$60,866) to find security vulnerabilities and bugs in the Java programming language.

Associate Professor Jens Dietrich, from the School of Engineering and Advanced Technology, has been working closely with Oracle to find vulnerabilities since 2014.

He has received around US$144,000 (NZ$198,000) since 2014 for his efforts, but the catch is that its monetary gifts are to help share the findings with the world.

Traditionally organisations keep bug and vulnerability findings for themselves, but Oracle and Dietrich have taken a different approach.

Oracle Labs provides funds to researchers so that their findings can be shared – be it via research papers or even by open source software.

Dietrich says the work is “Like creating your own puzzles and then solving them”.

 “The security of our data on these web applications is a company’s top priority, as they are often dealing with very sensitive information. They use Java because it has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise,” Dietrich explains.

“Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated. Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design.” 

Dietrich turns software into graphs, which he uses to pinpoint what functions in the software may be prone to exploits. While others have tried a similar approach, those algorithms couldn’t deal with neither the complexity nor the size of real-world programs.

Two years ago, he and a team of researchers from the University of Sydney came up with an algorithms that overcame those limitation. He’s now using that algorithm in practice to reduce false detection alarms in some of the largest enterprise programs.

He believes that New Zealand businesses could learn from what Oracle is doing in terms of supporting research.

“This isn’t a contract, it’ a gift in support of academic research that gives the researcher a significant amount of freedom. It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed,” Dietrich says.

He is also working on a project that aims to predict program behaviour in a proposal called ‘Closing The Gaps in Static Program Analysis’, which was recently accepted as one of the Science for Technological Innovation National Science Challenge’s SEED projects.

“The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them. This could then be used to design completely different tools. For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications,” Dietrich concludes.

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.