Oracle's $60,000 gift to Kiwi bug researcher about sharing knowledge with the world
Oracle has given one Massey University researcher US$44,000 (NZ$60,866) to find security vulnerabilities and bugs in the Java programming language.
Associate Professor Jens Dietrich, from the School of Engineering and Advanced Technology, has been working closely with Oracle to find vulnerabilities since 2014.
He has received around US$144,000 (NZ$198,000) since 2014 for his efforts, but the catch is that its monetary gifts are to help share the findings with the world.
Traditionally organisations keep bug and vulnerability findings for themselves, but Oracle and Dietrich have taken a different approach.
Oracle Labs provides funds to researchers so that their findings can be shared – be it via research papers or even by open source software.
Dietrich says the work is “Like creating your own puzzles and then solving them”.
“The security of our data on these web applications is a company’s top priority, as they are often dealing with very sensitive information. They use Java because it has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise,” Dietrich explains.
“Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated. Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design.”
Dietrich turns software into graphs, which he uses to pinpoint what functions in the software may be prone to exploits. While others have tried a similar approach, those algorithms couldn’t deal with neither the complexity nor the size of real-world programs.
Two years ago, he and a team of researchers from the University of Sydney came up with an algorithms that overcame those limitation. He’s now using that algorithm in practice to reduce false detection alarms in some of the largest enterprise programs.
He believes that New Zealand businesses could learn from what Oracle is doing in terms of supporting research.
“This isn’t a contract, it’ a gift in support of academic research that gives the researcher a significant amount of freedom. It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed,” Dietrich says.
He is also working on a project that aims to predict program behaviour in a proposal called ‘Closing The Gaps in Static Program Analysis’, which was recently accepted as one of the Science for Technological Innovation National Science Challenge’s SEED projects.
“The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them. This could then be used to design completely different tools. For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications,” Dietrich concludes.