Sign up to save your podcasts
Or
Share How machine learning can be used to write more secure computer programs
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How machine learning can be used to write more secure computer programs
In this episode of the Data Show, I spoke with Fabian Yamaguchi, chief scientist at ShiftLeft. His 2015 Ph.D. dissertation sketched out how the combination of static analysis, graph mining, and machine learning, can be used to develop tools to augment security analysts. In a recent post, I argued for machine learning tools to augment teams responsible for deploying and managing models in production (machine learning engineers). These are part of a general trend of using machine learning to develop and manage the software systems of tomorrow. Yamaguchi’s work is step one in this direction: using machine learning to reduce the number of security vulnerabilities in complex software products.
Here are some highlights from our conversation:
Machine learning to find code vulnerabilities
I was not trying to build something that would just automatically take the code and give you all of the vulnerabilities. Instead, I was looking at the typical kind of tasks that I would encounter myself when doing these security audits, and I would ask myself, how can I automate these subtasks? As an example, when you find a vulnerability in code, the question that often arises is whether there are similar vulnerabilities still in that same program. That’s one of those subtasks you can automate well because what you’re actually doing is saying: ‘Hey, here’s an example of what a bug looks like. Can you scan the rest of the code? Can you use machine learning to actually determine other locations in the code that implement the same bug?’
… In machine learning, you never have enough data. In this case, this is actually an unsupervised learning approach. You’re taking all of the functions that you can get and you extract the dominant programming patterns in there. … It’s a bit like what you would do to find similar text documents, but it’s used for code.
From source code to graph analytics
By transforming software code into a graph, you can actually extract different properties from that code by analyzing the graph.
… Let’s take a smaller function that might have one IF block. One of the graph structures that’s first generated is called an abstract syntax tree. That’s a tree that you’d get by just parsing the code. … For each IF and for each variable, for each statement, there’s going to be a node. For each operator, like if there’s an assignment, there’s also going to be a node, and they are all connected by edges. You soon run into a lot of nodes and edges. If you take something like, let’s say, the Linux kernel, you’ll have several hundreds of thousands of nodes.
… You can do a lot by essentially solving reachability problems in these graphs.
Related resources:
“How machine learning will accelerate data management systems”
Artificial intelligence in the software engineering workflow: A 2017 AI Conference keynote by Peter Norvig
“Responsible deployment of machine learning”: Why we need to build machine learning tools to augment our machine learning engineers
“Architecting and building end-to-end streaming applications”
Data is only as valuable as the decisions it enables
View all episodes
By O'Reilly Media
4
6363 ratings
In this episode of the Data Show, I spoke with Fabian Yamaguchi, chief scientist at ShiftLeft. His 2015 Ph.D. dissertation sketched out how the combination of static analysis, graph mining, and machine learning, can be used to develop tools to augment security analysts. In a recent post, I argued for machine learning tools to augment teams responsible for deploying and managing models in production (machine learning engineers). These are part of a general trend of using machine learning to develop and manage the software systems of tomorrow. Yamaguchi’s work is step one in this direction: using machine learning to reduce the number of security vulnerabilities in complex software products.
Here are some highlights from our conversation:
Machine learning to find code vulnerabilities
I was not trying to build something that would just automatically take the code and give you all of the vulnerabilities. Instead, I was looking at the typical kind of tasks that I would encounter myself when doing these security audits, and I would ask myself, how can I automate these subtasks? As an example, when you find a vulnerability in code, the question that often arises is whether there are similar vulnerabilities still in that same program. That’s one of those subtasks you can automate well because what you’re actually doing is saying: ‘Hey, here’s an example of what a bug looks like. Can you scan the rest of the code? Can you use machine learning to actually determine other locations in the code that implement the same bug?’
… In machine learning, you never have enough data. In this case, this is actually an unsupervised learning approach. You’re taking all of the functions that you can get and you extract the dominant programming patterns in there. … It’s a bit like what you would do to find similar text documents, but it’s used for code.
From source code to graph analytics
By transforming software code into a graph, you can actually extract different properties from that code by analyzing the graph.
… Let’s take a smaller function that might have one IF block. One of the graph structures that’s first generated is called an abstract syntax tree. That’s a tree that you’d get by just parsing the code. … For each IF and for each variable, for each statement, there’s going to be a node. For each operator, like if there’s an assignment, there’s also going to be a node, and they are all connected by edges. You soon run into a lot of nodes and edges. If you take something like, let’s say, the Linux kernel, you’ll have several hundreds of thousands of nodes.
… You can do a lot by essentially solving reachability problems in these graphs.
Related resources:
“How machine learning will accelerate data management systems”
Artificial intelligence in the software engineering workflow: A 2017 AI Conference keynote by Peter Norvig
“Responsible deployment of machine learning”: Why we need to build machine learning tools to augment our machine learning engineers
“Architecting and building end-to-end streaming applications”
Data is only as valuable as the decisions it enables
More shows like O'Reilly Data Show Podcast
View all
The Changelog: Software Development, Open Source
283 Listeners
O'Reilly Radar Podcast - O'Reilly Media Podcast
36 Listeners
Data Skeptic
482 Listeners
Talk Python To Me
592 Listeners
Software Engineering Daily
623 Listeners
O'Reilly Design Podcast - O'Reilly Media Podcast
8 Listeners
The TWIML AI Podcast (formerly This Week in Machine Learning & Artificial Intelligence)
446 Listeners
AWS Podcast
202 Listeners
Super Data Science: ML & AI Podcast with Jon Krohn
297 Listeners
NVIDIA AI Podcast
323 Listeners
Machine Learning Guide
764 Listeners
AI Today Podcast
146 Listeners
DataFramed
267 Listeners
Practical AI
192 Listeners
Google DeepMind: The Podcast
197 Listeners
Last Week in AI
287 Listeners
This Day in AI Podcast
199 Listeners