Solving the $60 billion problem

Thirteen years after Lycos was created at Carnegie Mellon, a brand new spin-off hopes to revolutionize the budding software assurance industry. SureLogic, a software company founded late last year, is using research from Carnegie Mellon’s Fluid Project, a software assurance research program in SCS, to develop software that kills the hardest-to-find bugs in the most critical systems.

Software assurance is a lucrative field, considering that every year bugs in computer software cause $60 billion in damages worldwide, according to Bill Scherlis, professor of computer science and director of Carnegie Mellon’s Institute for Software Research.

The Research

SureLogic’s software tools are based on research regarding software reliability and assurance conducted by Scherlis. Jonathan Aldrich, Scherlis’ colleague and fellow professor in the School of Computer Science, has also made several large contributions. Scherlis, recruited by Allen Newell to the Defense Advanced Research Projects Agency (DARPA) in 1986, came back to Carnegie Mellon in 1993 to work on dependability as part of the Fluid Project.

“My research is focused on how to write software about which you can make promises,” Scherlis said. “Software is everywhere, it’s an amazing kind of a construction material if you can think of [it] as something that you build stuff out of — it’s like steel, bricks.”

According to Scherlis, dependability is key in many different fields. Software programs keep pacemakers working correctly, fly planes, drive cars, operate rockets, govern banking systems, and have countless other responsibilities.

Even the average cell phone, an essential communication tool to many, contains three to five million lines of code. In all of this, there is enormous room for error.

“The rate of errors per thousand lines of code is a rough measure,” Scherlis said. “The problem is that it takes just one little error to really do you in.”

Unreliable software has been responsible for NASA’s two failed Mars missions and the Northeast blackout of summer 2003.

Scherlis blames some of the problems in important software programs on the tension between computer scientists’ ambition and the level of technological ability that currently exists worldwide.

“As we got more ambitious about what we wanted to do with software, our ambition exceeds our ability to produce reliably, and so there’s this tension of goals and means,” Scherlis said.

Scherlis and his team took their completed research to several companies. Among them was Lockheed Martin, which was extremely enthusiastic about Carnegie Mellon’s software assurance tools.

The demand and enthusiasm for the Fluid team’s tools established that it was time for the researchers to market their technologies as commercial products.

The Company

In 2006, SureLogic received investments from Innovation Works, the state of Pennsylvania’s seed fund group that fosters economic development in southwestern Pennsylvania, and the venture capital firm Saturn Capital. In addition, Carnegie Mellon has an equity stake in Sure Logic.

SureLogic was founded in September 2006 under the leadership of CEO Steve Schmitt, a 1996 graduate of the Heinz School in public policy and information technology.

Before coming to SureLogic, Schmitt was the CIO of Pittsburgh and the VP for Information Technology at FORE Systems, a successful Carnegie Mellon telecommunications spin-off sold to Marconi.

Schmitt is particularly enthusiastic about the software assurance industry’s potential effect on southwestern Pennsylvania’s economic development.

“This is not about the company or the technology,” Schmitt said. “I believe strongly that the research that’s being done at CMU in the area of software assurance can really create an industry here in southwestern Pennsylvania.”

Schmitt hopes that the team’s research will put Pittsburgh on the map in the new but thriving industry of software assurance.

“The work that’s being done at the Institute for Software Research has the ability to create an international presence for software assurance,” Schmitt said.

A “brain drain,” or exodus of qualified graduates, is a big fear in southwestern Pennsylvania, but Schmitt is proud of the fact that nine of the 10 people hired at Sure Logic hold degrees from Carnegie Mellon, eight of whom have either a master’s degree or a Ph.D. from the university.

However, despite the company’s prominent position in the industry, SureLogic still has to compete for top computer science grads with technology giant Google, according to Edwin Chan, SureLogic’s senior architect.

In addition, because the company is only a start-up, a job at SureLogic poses a significantly higher risk than an entry-level position at Google.

However, it’s a risk that SureLogic software engineer and Carnegie Mellon graduate Ethan Urie was willing to take.

“It’s a very small company at the moment, so you wear a lot of hats,” Urie said, “but it’s nice having such an impact on the company vision and where we’re going.”

The Products

SureLogic’s tools analyze only Java code, but the company plans to expand its software to include C, C++, and C# analysis tools.

According to Urie, SureLogic’s tools find the most deeply-entrenched bugs that aren’t detected by testing and inspection. Instead of just eyeballing thousands of lines of code and executing it in a number of different situations, Sure Logic works by directly analyzing the code.

“We analyze the software in a non-running state. We look at code as-is,” Urie said. “That allows us to find flaws that are very difficult to find using traditional static analysis.”

Chan agreed that the difference between SureLogic’s product and those of other companies is significant.

“Most other companies take your code, put it in a black box, and turn the crank,” Chan said. He explained that SureLogic’s tools require programmers to be much more involved in the process of analysis and policy implementation.

“If you have a policy, [our product] helps you write code that is consistent with that policy,” Chan said.

The list of companies that field-tested the technology that SureLogic uses reads like a who’s who of the Fortune 500, including IBM, ebay, Oracle, and Sun Microsystems. Those who have had the chance to use the technology are enthusiastic about its potential.

“I can’t think of any of our Java code I wouldn’t want to run this tool on,” said Andrew Winkler, senior architect at Lockheed Martin, at the International Conference on Software Maintenance held in September 2006.