A first kick-off meeting of the project partners took place in Stuttgart on the 14th of May 2019. Beate Eickhoff as the responsible technical supervisor from VDI / VDE / IT, Professor Dr. Stefan Wagner and Kai Mindermann as representants of the University of Stuttgart, and Dr. Heinrich Rust and Norman Wenzel for RIGS IT have met for a first introduction. The first steps for CRITICALMATE together with many organizational questions were discussed.
From left to right: Kai Mindermann, Prof. Dr. Stefan Wagner, Beate Eickhoff, Norman Wenzel and Dr. Heinrich Rust
RIGS IT has already started conducting a lot of research about data flow analysis algorithms. As a next step, two working students have to be found for the project at the University of Stuttgart Software Engineering Group.
We are planning to include many students in this project as this is a very interesting software engineering research opportunity. (Kai Mindermann, M.Sc.)
Additionally, it is planned to organize several student research works and theses on this topic to support the project as much as possible. Topics for students include general software engineering, cryptography and security, development of plugins for Integrated Development Environments (IDEs), machine learning, Web Application Programming Interfaces (APIs), developer experience and many more.
About CRITICALMATE research
Errors in the use of cryptographic program libraries represent a major risk for the IT security of practically all software systems. Ideally, such usage errors are already found during development by static analysis and displayed in the development environment in order to correct the errors promptly and cost-effectively. Currently, such integration in development environments is difficult because (1) the analyses themselves still take too long and thus delay the developers, and (2) the large number of programming languages, development environments and analysis tools results in exponentially high integration costs.
The CRITICALMATE project addresses these problems by bundling the expertise of RIGS IT, a provider of static security analysis, and the University of Stuttgart, which has expertise in the use of static analysis and in particular in the usability of cryptographic program libraries. Together, they will develop methods for partial, local and incremental analyses that can be performed in a few seconds, and design and implement protocols for the exchange between development environment and analysis tool as well as between rule providers that minimize the integration effort. The resulting product will be marketed by RIGS IT and will give software vendors an easy way to identify and resolve security issues early.