Cybersecurity and
trustworthy digital technology

Amid the increasing complexity of today’s software, guaranteeing trust in an application’s ability to withstand attacks presents some major challenges. Formal-methods-based static analysis can mathematically verify the absence of entire classes of vulnerabilities—like buffer overflows—commonly exploited by attackers. In traditional approaches, a full analysis must be completed every time the code is modified—a requirement that is incompatible with continuous integration workflows. More recent formal static analysis methods are better aligned with the agile development of critical systems. By reusing previous results, these incremental analysis methods drastically reduce analysis times without sacrificing the necessary mathematical guarantees.

The problem is that the automated detection of vulnerabilities now far outpaces our ability to correct them. The Linux kernel, due to its size, complexity, and the amount of code it contains, is associated with thousands of vulnerabilities in CVE databases each year. Given the sheer number of vulnerabilities, it is impossible to know which ones should be given priority. And Linux is far from an isolated case. The answer lies in vulnerability exploitability assessment, which looks at the likelihood that an attacker can effectively take advantage of a vulnerability. New techniques can be used to analyze the exploitable values of different parameters, enabling the automated classification of truly critical vulnerabilities, validated on real CVEs.

Finally, advances in quantum computing are raising pressing questions about today’s encryption methods. The risk of attackers collecting encrypted data today and cracking it tomorrow with quantum computers is very real. Post-quantum cryptography and fully-homomorphic encryption offer future-proof protection, made practical by hardware acceleration, with performance gains of up to 94% to 96%.