AI-DevAssist: AI-supported, secure software development

Digitisation is increasingly finding its way into all areas of life. The escalating number of critical vulnerabilities in software development represents a significant security threat. This project explores ways to use artificial intelligence (AI) to detect vulnerabilities in software code and prevent cyber attacks. The total volume of the project is EUR 2.24 million, including the project partners’ own funds.

Developing secure and reliable software is still a major and unresolved challenge. Despite efforts to contain them, the number of critical vulnerabilities is on the rise, as demonstrated by the upward trend in CVE (Common Vulnerabilities and Exposures ⁽¹⁾) from 2006 to 2018. An analysis conducted by Microsoft Research suggests that developers are still making many of the same mistakes they were 20 years ago ⁽²⁾. The aim of this project is to explore AI-assisted vulnerability detection methods and develop demonstrators that enable developers to build software more easily and securely.

To be more specific, the objective is to advance the state-of-the-art in security analysis, using Java as a model. Methods of artificial intelligence are being created that expand on existing static and fuzzing analysis tools, while also providing a direct line of interaction between the AI and the software developers. Fuzzing, a dynamic software analysis method, already integrates basic machine learning techniques. 

AI-DevAssist aims to accomplish this goal by pooling the knowledge of top-tier expert teams worldwide across the research domains of artificial intelligence, secure software engineering, and usable security. Usable security primarily deals with the human element in security and explores how technology can aid individuals in creating secure software. The strategy employed by AI-DevAssist involves creating AI components designed to identify software errors. AI-DevAssist adopts groundbreaking techniques in Secure Software Engineering, notably automated code analysis, to build an AI assistant adept at identifying vulnerabilities by leveraging semantic program characteristics. Furthermore, research is being conducted to explore and develop methods for interactions between AI systems and software developers, with the goal of improving knowledge transfer between developers and security tools.

The overarching goal of the achelos sub-project is to outline requirements for the analysis software, establish a benchmark, and evaluate the solutions developed within the project. Building on its extensive track record in developing security-sensitive software for industrial projects, achelos brings this expertise to the table.

Main task: to create the benchmark

achelos exploits weaknesses from known benchmarks and supplements these with vulnerabilities that current tools cannot detect. The benchmark will be integrated into a training and evaluation infrastructure by achelos, facilitating continuous assessment of the solutions developed within the project. The achelos development team, with its background in industrial security projects, will play a key role in evaluating the human-AI interface.

achelos has a long-standing track record in providing consulting, development and testing solutions for software in safety-critical domains. The achelos portfolio includes automated test suites for secure network protocols, certificate security and high-secure components. Our test suites are used specifically for the acceptance of products that have to be certified according to Common Criteria. Secure implementation and vulnerability assessment are key criteria for certification at a designated Evaluation Assurance Level (EAL) – Level (EAL 1–7). achelos’ skill set in test suite development is instrumental in designing and developing the benchmark.

In the it’s OWL transfer project ‘Integration of CogniCrypt’, achelos gained practical insights into static code analysis using the CogniCrypt tool. CogniCrypt was integrated into achelos’ continuous integration environment and embedded as a plug-in into the Eclipse software development environment, with additional rules applied to the BouncyCastle cryptographic library.

In addition, achelos is engaged in the BMBF project AutoSCA, collaborating with project partners to automate the analysis and prevention of side-channel attacks targeting cryptographic protocols for the first time. To this end, achelos is collaborating with cryptographers and machine learning experts from various disciplines. Through this collaboration, they aim to deepen their understanding of machine learning principles and apply appropriate machine learning methods to identify further cryptographic vulnerabilities through their test suites for secure network protocols.

(1) cve.mitre.org (2) Matt Miller. Trends, Challenges, and Strategic Shifts in the Software Vulnerability Mitigation Landscape. In BlueHat IL, 2019.

• AI-assisted secure software development AI Devassist