Sabelfeld, who is professor of cybersecurity at Chalmers University of Technology in Gothenburg, is researching the weak links in our modern computer systems. He points out that we are constantly under attack in cyberspace. His aim is to develop concepts and techniques to secure modern software, thereby shutting out a wide range of attacks.

“Software controls our digital society, and is often the main reason for vulnerabilities that can be exploited in cyberattacks. As a researcher, my primary interest lies in securing software so we can rely on our services and systems,” he says.

The digitization of our society means we rely on the web, not only for services, but for large portions of the financial, administrative and military infrastructure of society. When so many systems are within digital reach, those wishing to disrupt specific activities – and sometimes society at large – do not even have to be physically present.

Complex systems creating vulnerability

According to Sabelfeld, the risk of being hacked has grown as modern web applications have become increasingly complex, dynamic and interactive. And web applications often use third-party code, a kind of library service for managing information or statistics. Google Analytics is one example. These libraries are often included with full privileges in the web application. This implies that the system can, in the worst case, be taken over through an insecure library.

“Taken together, these factors create vulnerabilities, rendering systems large and difficult to manage. A single weak point is enough for an attack to succeed,” he says.

A number of major cyberattacks have occurred in Sweden over the past few years. Many people remember when Coop Sweden, a retail food chain, was hacked in 2021, causing its checkout system to be locked. Each store system had to be rebooted manually, a costly and time-consuming process.

“This was an example of a ransomware attack – a form of digital blackmail in which a company is told it must pay money to stop the attack. In this case the company’s accessibility was attacked; in other cases disclosure of sensitive data may be at stake. This could cause great harm, for instance if patient data were leaked,” he says.

Preventing attacks

As a Wallenberg Scholar, Sabelfeld will be developing a comprehensive framework for preventing attacks.

The project is focusing on two key tools in the hunt for safer systems: “web crawling” and security scanning. Web crawling is a technique used to search through and scrutinize a web application and all its content. Security scanning, or vulnerability scanning, is used to test systems and search for security risks.

“We examine how the web application is built, and track information flows throughout the system. This enables us to detect vulnerabilities: where attacks could occur, and how harmful code could enter the system,” he says.

For me, cybersecurity is a perfect combination of theory and practice. It gives me a kick to see the effects and direct application of research findings.

Sabelfeld points out that web crawling and security scanning are currently used in the field of cyber security, albeit not in the best or most efficient way. His team’s goal is ambitious: the researchers want to create a new paradigm in cybersecurity by radically improving the ability to deeply scan web applications for security.

“Our vision is to develop a comprehensive framework and approach that can be used to test security when new web applications are being developed. This is a vital step to prevent attacks, instead of merely patching over weaknesses in the system once users have been targeted,” says Sabelfeld.

Constant vigilance

Although the researchers hope to create an effective weapon against cyberattacks, Sabelfeld stresses that it is never possible to relax with cybersecurity – hackers are constantly changing their modus operandi.

“There is no ultimate solution for online security, but we can make life difficult for hackers. They are a moving target, and we have to constantly upgrade our standards,” he says.

And cybersecurity poses a further challenge: that the technology developed by researchers can be used for the opposite purpose if it falls into the wrong hands. Sabelfeld uses the term “dual-use technology” to describe the dilemma that the same technology used to create security on the web can also be used to cause harm. He considers it vital to have a dynamic conversation about ethical issues concerning cybersecurity, but does not believe that all risks of research can be avoided.

“To create effective protection against attacks it is essential to understand what actually happens in the real world. Nowadays universities offer courses on ethical hacking, which shows the risks that exist. The advantages of research and education in cybersecurity outweigh the risks, and it’s vital that we don’t neglect this important field merely because there is a potential for abuse,” he says.

Text Ulrika Ernström
Translation Maxwell Arding
Photo Johan Wingborg