Story image

Oracle's $60,000 gift to Kiwi bug researcher about sharing knowledge with the world

29 Aug 2017

Oracle has given one Massey University researcher US$44,000 (NZ$60,866) to find security vulnerabilities and bugs in the Java programming language.

Associate Professor Jens Dietrich, from the School of Engineering and Advanced Technology, has been working closely with Oracle to find vulnerabilities since 2014.

He has received around US$144,000 (NZ$198,000) since 2014 for his efforts, but the catch is that its monetary gifts are to help share the findings with the world.

Traditionally organisations keep bug and vulnerability findings for themselves, but Oracle and Dietrich have taken a different approach.

Oracle Labs provides funds to researchers so that their findings can be shared – be it via research papers or even by open source software.

Dietrich says the work is “Like creating your own puzzles and then solving them”.

 “The security of our data on these web applications is a company’s top priority, as they are often dealing with very sensitive information. They use Java because it has a reputation for its security and ease of use, but they cannot catch all the bugs in their own code and therefore must go back and patch software as problems arise,” Dietrich explains.

“Companies can do this themselves, but they often tap into external resources, like here at Massey, to find solutions or even find vulnerabilities and bugs that they never anticipated. Academic researchers can offer expertise that is often difficult for companies to find in-house, for instance, mathematical modelling and algorithm design.” 

Dietrich turns software into graphs, which he uses to pinpoint what functions in the software may be prone to exploits. While others have tried a similar approach, those algorithms couldn’t deal with neither the complexity nor the size of real-world programs.

Two years ago, he and a team of researchers from the University of Sydney came up with an algorithms that overcame those limitation. He’s now using that algorithm in practice to reduce false detection alarms in some of the largest enterprise programs.

He believes that New Zealand businesses could learn from what Oracle is doing in terms of supporting research.

“This isn’t a contract, it’ a gift in support of academic research that gives the researcher a significant amount of freedom. It benefits not only the company but the researcher as well, by tapping into a funding avenue that was previously closed,” Dietrich says.

He is also working on a project that aims to predict program behaviour in a proposal called ‘Closing The Gaps in Static Program Analysis’, which was recently accepted as one of the Science for Technological Innovation National Science Challenge’s SEED projects.

“The project is the logical next step from the Oracle-funded projects: not only being able to find bugs and vulnerabilities in large, real-world programs, but trying to find all of them. This could then be used to design completely different tools. For instance, one could prove the absence of a certain type of vulnerability from a program and use this information to certify that a program is fit for safety-critical applications,” Dietrich concludes.

Partnership brings AI maths tutor to NZ schools
“AMY can understand why students make a mistake, and then teach them what they need straight away so they don't get stuck."
Polycom & Plantronics rebrand to Poly, a new UC powerhouse
The name change comes after last year’s Plantronics acquisition of Polycom, a deal that was worth US $2 billion.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
VoiP new-comer upgraded and ready to take on NZ
UFONE is an Auckland-based VoIP provider that has just completed a massive upgrade of its back-end and is ready to take on the market.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Apple launches revamped iPad Air & iPad mini
Apple loves tinkering with its existing product lines and coming up with new ways to make things more powerful – and both the iPad Air and iPad mini seem to be no exception.
IntegrationWorks continues expansion with new Brisbane office
The company’s new office space at the Riverside Centre overlooks the Brisbane River and Storey Bridge.