Research Fellowships 2025
Software vulnerabilities are exploitable attack vectors, costing our economies trillions. Their negative impact is far-reaching, from causing outages of healthcare systems to turning smart fridges into malicious botnets. Finding software vulnerabilities manually can be challenging, which is why automated techniques, enabled by large vulnerability datasets, have experienced a surge in popularity. However, these techniques exhibit low accuracy rates and are black box, making them impractical for industry. This project aims to deliver high quality, explainable automated vulnerability detection and prevention techniques that meet industry needs. Dr Sejfia’s key insight is that underexplored vulnerability data provides the pathway to achieve this mission. Vulnerabilities are diverse: causes may range from lack of input validation to unauthorised access. However, current detectors lump all vulnerabilities together, resulting in low-accuracy generalised models. Popular datasets categorise vulnerabilities conceptually, but not necessarily based on the coding errors behind them.
The ideal solution would create vulnerability categories that factor in the root cause, enabling highly accurate specialised detection models. These categories can strengthen prevention efforts by pinpointing common vulnerability-inducing coding constructs. Detecting vulnerabilities with high accuracy is necessary but not sufficient. Vulnerabilities are often subtle and invoke various code elements which software engineers need to understand before providing a fix. That is why explanations, ignored by the current black-box techniques, are essential for industry adoption. Vulnerability datasets often include the exploit that triggers each vulnerability, a useful – but thus far unused – source for explanations. Historical exploits can be used to synthesise a new exploit on-demand automatically.
Automated, explainable vulnerability detection and prevention is crucial for ensuring secure software. To that end, this project will use vulnerability data to: recategorise vulnerabilities through static analysis and machine learning; deliver specialised detection models; discover vulnerability-inducing constructs via code comprehension and graph-mining techniques; and provide explanations via program synthesis.
Related content
View all programmesSupport for research
The Academy runs a number of grants to support excellent researchers carry out engineering activities and to enable clo…
Research Fellowships
The Academy offers Research Fellowships each year to outstanding early-career researchers to support them to become fut…