New Diagnosis Tools Will Help Protect Data in Event-Based Applications

Written by: Evan Koblentz
Published: Wednesday, August 4, 2021
Applications can be tested step-by-step

Software behaving badly, especially when it corrupts, exposes or loses someone's data, is the motivation for new research from NJIT Prof. Iulian Neamtiu on how event-based applications go astray and what can be done to fix them.

Such applications are often found in smartphones, websites and Internet-connected home products, which rely on expected results from their middleware and operating systems — but sometimes the results are unexpected, causing anything from simple annoyances to catastrophic errors.

To help understand and solve these problems, Neamtiu is sharing a four-year, $1.2 million grant from the National Science Foundation, alongside University of California Riverside Associate Prof. Zhijia Zhao, with both planning to hire student researchers from minority and underrepresented backgrounds.

"Prior approaches have investigated Android, JavaScript, and the Internet-of-things separately. That has led to ad-hoc narrow solutions and hindered progress, because advances in one domain couldn't translate to advances in another domain," Neamtiu explained.

Neamtiu cited several real-world examples. In the popular K-9 email program for Android, users who configured unread message widgets lost data if they rotated their devices midway through the process. In the open-source Ghost blogging platform, made from JavaScript, user accounts were unexpectedly created. In the MyQ garage door software, doors were being reported as opening, when they were not.

They are using two mathematical models: static analysis, to systematically explore all possible scenarios without actually running the software, and symbolic execution, which simulates the running of the software by testing a program's actual actions one at a time using symbolic values.

He compares the situation to automobiles. "Is there a scenario under which the car will not start? Is there a scenario under which the car will short circuit? Is there a scenario under which the car is going to break into two?" More realistically, he noted, in a car traveling at speed V with a road incline I and throttle position P, what should the drivetrain do? It could brake, pull moderately, or pull hard.

Neamtiu said the biggest challenge to their research is the scale of the problem. Modern applications run millions of lines of code. Any online service loads thousands of lines of JavaScript from dozens of libraries made by just as many sources. All these have to be modeled precisely to maintain soundness.

You can't determine the shape of an iceberg by looking at its tip, he noted, but he's optimistic that the bug detectors they're building will apply to many situations. Both professors plan to integrate the new methods into their courses. Neamtiu's relevant courses include Android Application Development (CS 388), Advanced Programming Languages (CS 635), Software Engineering (CS 673) and Smartphone Security and Reliability (CS 698).

Software reliability projects are common, but few are as universally important as those related to mobile devices and the Internet. Fewer still include Neamtiu's and Zhao's intention to hire students who ordinarily might not get research opportunities. Even high school students would be welcome. Neamtiu hopes to reach them through NJIT's Center for Pre-College Programs. The opportunity, he noted, may encourage such students to make NJIT their top college choice and someday lead their own research or computer science projects.