As processor clock speeds top out, software developers increasingly rely on concurrency, multicore, and distributed computing for performance goals -- and on platforms ranging from industrial controls to multicore desktops and scalable clouds. It is safe to speculate that errors in concurrent software will be the next buffer overflow, only more difficult to detect and debug.The non-determinism in concurrent code creates unique challenges for software assurance, including security and reliability. Intermittent failures can be difficult to diagnose, defying traditional testing and inspection. A one-in-a-million corruption or deadlock, for example, may be rarely caught in testing, but when known to an adversary can become an exploitable vulnerability. The proposed work addresses this challenge, linking SureLogic capabilities in scalable sound static analysis, dynamic analysis, and surgically-targeted runtime monitoring. The results, to be delivered through vendor and consultant partnerships, will enhance cloud security, accelerate positive assurance for at-scale concurrent code, and integrate deep analysis into established industry-standard development practices.This work builds on the established SureLogic toolset, derived from research at Carnegie Mellon, which has been field tested on diverse software from government and industry. It has found race vulnerabilities in commercial product code, deployed aerospace code, and major open source code.
