Search-Lab

Our Solutions

Software evolution – concept

We are interested in joining initiatives in Horizon 2020 where security is critical, and an SME partner from Hungary would fit well to the consortium.

Commit classification

We analyze historical commits of the repository in order to obtain metrics that we can learn to classify the commits based on their content (e.g. JIRA class): bug fix, new feature, test, revert, etc. and security relevance.
The commit classifier can also take into account the relevance of the observed code segment to security requirements.

SW evolution generic model

We want to learn – by examining a wide range of commits from various projects – how certain potential vulnerabilities detectable by SAST and DAST tools (e.g. Spotbugs) are fixed. We collect a large number of bug-fix pairs for security and robustness improvement to train a model which is able to generate the fixes. We would like to gather all the hidden fixes by running SAST tools on each commit and observing the differences.

SW evolution customized model

We want to learn – by examining the previous commits from the analyzed project – how certain potential vulnerabilities detectable by SAST and DAST tools (e.g. Spotbugs) are fixed in the selected project and customize our generic model with parameters characteristic for the selected project. We also take coding style and naming conventions into account to customize our generated fixes for the selected repository.

AIFix – tool

AIFix

AIFix employs symbolic execution to identify potential security vulnerabilities within an application. By utilizing commit classification, it focuses primarily on the security-critical components of the software, saving significant computational resources that would otherwise be required to traverse the entire execution tree with every potential parameter value.

Alongside this, AIFix uses natural language processing techniques to exploit the knowledge generated by locally implemented models, which are constructed based on software evolution data.

For ease of interaction with developers, AIFix comes with a VSCode plugin interface. This allows developers to select, accept, reject, or modify the generated fixes and conveniently initiate the execution of the tool.
A TRL3 version – developed in the AssureMOSS and AI4CYBER projects – is available for JAVA, which can be extended with supporting other programming languages.

AIFix

Take a look at our demo video:

Delta evaluation – concept

This evaluation methodology concentrates on evaluating the changes compared to a certified and a new version of the target system. For each requirement, the relevant source code sections and third party evidence files are assigned. In case some of the assigned source code parts or evidence are changed, the requirement needs to be reevaluated either manually or using automated rules. This approach makes automation of security evaluations possible and lowers the evaluation costs during the process.

AIFix

DeltaAICert – tool

AIFix

The DeltAICert tool embodies the delta evaluation concept, providing a browser-based interface for gathering, categorizing, assigning and processing evidence for the assessment of security certification scheme requirements.

Upon completion of an initial manual assessment, the tool operates automatically. For instance, it is activated by new commits and undertakes designated actions to evaluate the requirements pertaining to the modified code and any associated evidence, which is generated by third-party tools.

DeltAICert generates comprehensive reports and, upon the successful fulfillment of all requirements, grants a certificate to the target.

A range of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools are compatible with DeltAICert, and are capable of providing the necessary input evidence.A TRL4 version – developed in the AssureMOSS project – is available, can be extended with new certification schemes, supporting more tools

Take a look at our demo video: