Story image

Oracle's $60,000 gift to Kiwi bug researcher about sharing knowledge with the world

29 Aug 2017

Oracle has given one Massey University researcher US$44,000 (NZ$60,866) to find security vulnerabilities and bugs in the Java programming language.

Associate Professor Jens Dietrich, from the School of Engineering and Advanced Technology, has been working closely with Oracle to find vulnerabilities since 2014.

He has received around US$144,000 (NZ$198,000) since 2014 for his efforts, but the catch is that its monetary gifts are to help share the findings with the world.

Traditionally organisations keep bug and vulnerability findings for themselves, but Oracle and Dietrich have taken a different approach.

Oracle Labs provides funds to researchers so that their findings can be shared – be it via research papers or even by open source software.

Dietrich says the work is “Like creating your own puzzles and then solving them”.

 “The security of our data on these web applications is a company’s top priority, as they are often dealing with very sensitive information. They use Java because it has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise,” Dietrich explains.

“Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated. Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design.” 

Dietrich turns software into graphs, which he uses to pinpoint what functions in the software may be prone to exploits. While others have tried a similar approach, those algorithms couldn’t deal with neither the complexity nor the size of real-world programs.

Two years ago, he and a team of researchers from the University of Sydney came up with an algorithms that overcame those limitation. He’s now using that algorithm in practice to reduce false detection alarms in some of the largest enterprise programs.

He believes that New Zealand businesses could learn from what Oracle is doing in terms of supporting research.

“This isn’t a contract, it’ a gift in support of academic research that gives the researcher a significant amount of freedom. It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed,” Dietrich says.

He is also working on a project that aims to predict program behaviour in a proposal called ‘Closing The Gaps in Static Program Analysis’, which was recently accepted as one of the Science for Technological Innovation National Science Challenge’s SEED projects.

“The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them. This could then be used to design completely different tools. For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications,” Dietrich concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.