In parallel with the ongoing digitization, computer security has become an
increasingly important and urgent challenge. In particular, the sound and
robust implementation of complex software systems is still not well understood
in practice, as evidenced by the steady stream of successful attacks observed
in the wild. The current state of the art in software security consists of
solutions that are often technically sound, but do not provide operational
security in practice.
In this talk, I will give an overview of our recent work towards resilient and
sustainable software security, which is also the focus of my upcoming ERC
Consolidator project. On the one hand, the system must be resilient against
entire classes of attack vectors. On the other hand, the system must be
sustainable, i.e., it must be able to maintain its security at least over its
design lifetime and possibly even adapt over time. In the talk, I will discuss
some of the methods we have developed to achieve this goal, with a specific
focus on novel software testing strategies that enable accurate and efficient
vulnerability discovery. I will conclude the talk with a brief overview of
future research directions.