Software that is free of serious security vulnerabilities could be on the horizon after a pair of Australian researchers recently developed an entirely new system for detecting weaknesses.

Called ‘LineVul’, it’s the most effective approach to accurately predict vulnerabilities in software code and therefore able to strengthen cyber security, Monash University software experts, Dr Chakkrit Tantithamthavorn and PhD candidate Michael Fu, have shown.

When compared to current best-in-class prediction tools, the system increased accuracy in predicting software vulnerabilities by more than 300 per cent while spending only half the usual amount of time and effort.

LineVul is specially designed for C/C++ programming languages that are more vulnerable to attack than other high-level programming languages, and is highly accurate in detecting vulnerabilities within safety-critical systems running Chrome, Linux, Android, used by billions of people around the globe.

Explaining that these systems are used in very sensitive sectors like national infrastructure, the researchers noted this includes a wide-range of sectors like defence, banking, retail, and healthcare, where weaknesses could lead to major breaches.

“Vulnerabilities in these systems could result in significant threat to financial, digital, personal and national security,” Tantithamthavorn and Fu told Information Age.

A weapon against the most damaging vulnerabilities

The LineVul approach can be applied broadly to strengthen cyber security across any application built with source code, although it’s most useful in guarding against many of the 25 most dangerous vulnerabilities.

For example, with the Out-of-Bounds write vulnerability (CWE-787), the software writes data past the end or before the beginning of the intended buffer, which can result in the corruption of data, a crash or code execution.

“This vulnerability is dangerous because it’s often easy to find and exploit, and can allow adversaries to completely take over a system, steal data or prevent an application from working,” said Tantithamthavorn and Fu.

Current machine learning-based vulnerability prediction tools are still inaccurate and are only able to identify general areas of weakness in the source codes, the researchers noted.

While standard software programs contain millions to billions of lines of code and it often takes a significant amount of time to identify and rectify vulnerabilities, LineVul has been shown to have pin-point accuracy.

It can even identify the location of vulnerabilities down to the exact line of code, proving to be superior to current machine learning-based vulnerability prediction tools.

With further development, it’s hoped that it will eventually be able to automatically suggest corrections for vulnerabilities in software code.

“Using an AI-based approach, it leverages the most advanced deep learning algorithm, namely Bidirectional Encoder Representations from Transformers (BERT), to learn the vulnerability patterns,” the researchers said.

Could it eventually correct the mistakes it finds?

Given it’s a deep learning-based approach, LineVul requires historical vulnerability patterns of data to be learnt.

To be most effective, the program will need to continuously adapt to unknown vulnerabilities that have not been discovered before “but once that is done, it will be able to accurately predict them,” the pair said.

It’s hoped that using this system will reduce the time taken by developers trying to identify vulnerabilities in code either during the development process or after the program has been implemented.

There are also plans to continue building on the LineVul approach and develop new methods to automatically suggest corrections for vulnerabilities in software code.

Tantithamthavorn and Fu told Information Age their preliminary results have already shown it’s able to suggest corrections for at least 30 per cent of vulnerabilities.

There is also work happening to develop a world-first AI-powered security analysis tool that accurately predicts and locates vulnerabilities, and is able to explain the type of vulnerability, then suggest corrections to security analysts.

“We’re looking for industry partners to work collaboratively with us to ensure that the applications are most suited to industry’s needs."