Lunch with Sponsor Presentation

Code Genome - Fingerprinting Code to Help Secure the Software Supply Chain

Abstract:
Ken Thompson once wrote: "you can't trust code that you did not totally create yourself." Thirty-eight years later this is still true, and more frightening than ever. Much of the world's infrastructure relies on open source software across the entire stack: operating systems, compilers, middleware, applications, and infrastructure. Any crack in the software supply chain can, and has, had tremendous consequences. While significant progress is being made in securing the software supply chain, through digital signatures and automated build processes, we still have to trust every aspect of the development and build process.

To address this problem, we are introducing the Code Genome, semantically meaningful fingerprints of code functionality. While file hashes change significantly when a single bit has changed and fuzzy hashes lack an understanding of the domain, code genes capture the behavior of the code, and works across source code and binaries generated from different compilers targeting different architectures. We use this powerful new construct to build up a large database and knowledge graph of open source software, allowing unknown code to be identified and verified. A public service is being planned that allows developers and other practitioners to scan and analyze their code.

About the Speaker:
Jiyong Jang is a Principal Research Scientist and Manager of the Cyber Security Intelligence (CSI) team at the IBM Thomas J. Watson Research Center where the team is developing cutting-edge technologies in cyber threat hunting, program analysis, AI security, cyber deception, and vulnerability discovery while publishing top quality papers and patents, and contributing to security products and open-source projects. His current research focuses on security analytics to detect advanced threats in complex networking systems, and application security to identify and remediate vulnerabilities using static and dynamic analysis. He has been invited for technical talks at universities, companies, and government to discuss evolving trends of cybersecurity attacks and defenses, and his work has been well recognized at top academic and industry conferences and the media in view of practical and scientific contributions. He completed his Ph.D. degree at Carnegie Mellon University where he researched scalable methods to identify software vulnerabilities.