Software understanding

Software understanding is the analysis and interpretation of software systems' behavior, structure, and functionality, particularly when dealing with incomplete documentation or source code.^[1] The field encompasses technical practices such as reverse engineering, code analysis, and formal verification to ensure software functions securely and reliably.

Software understanding involves examining software systems to verify their functionality, safety, and security across various operational conditions. This includes both static analysis of code and dynamic observation of runtime behavior.

The practice has become increasingly important as software systems have grown more complex and interconnected, often incorporating third-party components and open-source libraries that organizations did not develop internally.

The need for systematic software understanding emerged during the "software crisis" of the 1960s–1980s, when the complexity of software systems began to outpace developers' ability to maintain and verify them reliably.

Notable incidents during this period highlighted the importance of thorough software analysis:

• The Therac-25 radiation therapy accidents in the 1980s, caused by software bugs that escaped traditional testing methods, resulted in fatal radiation overdoses.

In response, software engineering practices evolved to emphasize program comprehension and maintainability through structured programming, code inspections, and early formal verification methods.

The widespread adoption of open-source components, complex software supply chains, and rapid deployment cycles have created new challenges for software understanding. Organizations often run software they did not develop, making it difficult to fully comprehend system behavior.

The "software understanding gap" refers to the growing disparity between society's reliance on complex software and the capacity to analyze and verify that software's behavior.^[2]

The 2025 Closing the Software Understanding Gap report urged coordinated national action, including the creation of a cross-agency executive council and increased accountability for secure-by-design software. The report also called for the introduction of technical innovations, such as artificial intelligence, to develop reliable and affordable capabilities for analyzing software at scale.^[3] Undersecretary of Defense for Research and Engineering Emil Michael highlighted this report in comments to the DARPA Resilient Software Systems Colloquium in June 2025.^[4]

In addition to government-led efforts, the topic of software understanding has also gained attention in the research community. In 2025, the Software Understanding and Reverse Engineering (SURE) Workshop will be held to bring together academics and practitioners working on technical challenges in program analysis, formal verification, and reverse engineering.^[5]

Several factors contribute to this gap:

• Underinvestment in analysis tools: Decades of prioritizing rapid software development over comprehensive analysis capabilities have created a backlog of software that cannot be thoroughly understood with current tools.
• Overreliance on testing: Organizations often rely on functional testing and vendor attestations rather than deep code analysis, which may miss hidden vulnerabilities or malicious functionality.
• Scalability limitations: Current program analysis tools face limits in scale and precision when applied to modern software systems, which can have astronomically large numbers of possible execution states.
• Rapid evolution: Continuous software updates make it difficult for understanding efforts to keep pace with changes.

In March 2023, a "Software Understanding for National Security" (SUNS) workshop was held in Arlington, Virginia, bringing together experts from 18 government agencies to assess the state of software understanding capabilities.^[6]

In January 2025, four U.S. agencies (CISA, NSA, DARPA, and OUSD (R&E)) released a joint report titled "Closing the Software Understanding Gap," describing software understanding as a national security priority and calling for coordinated government action.^[7]

The report proposed several approaches:

• Promoting secure-by-design practices and independent third-party attestation
• Implementing policy and procurement changes to require higher software transparency standards
• Investing in technical innovation and R&D for automated analysis tools
• Building workforce capabilities and cross-sector collaboration

In 2025, a National Academies consensus study on cyber hard problems emphasized the need for software understanding.^[8]

Static analysis examines code without executing it, using automated tools to identify potential vulnerabilities, coding errors, or suspicious patterns. While comprehensive in scope, static analysis can produce false positives and may struggle with complex program interactions.

Dynamic analysis observes software behavior during execution in controlled environments. Techniques include sandboxing, fuzz testing, and runtime monitoring. This approach can reveal emergent behaviors but only covers the specific execution paths tested.

Formal verification uses mathematical techniques to prove software properties or find counterexamples. While resource-intensive, formal methods can provide strong guarantees about software behavior under specified conditions.

Reverse engineering analyzes compiled software without access to source code, using tools like disassemblers and decompilers. This is essential for analyzing malware, legacy systems, and third-party software.

Machine learning and artificial intelligence are increasingly applied to software understanding tasks, including pattern recognition, vulnerability prediction, and automated code summarization.^[9]

Several high-profile cases have demonstrated the consequences of insufficient software understanding:

Volkswagen programmed engine control software in diesel vehicles to detect emissions testing conditions and temporarily reduce pollution output, while allowing higher emissions during normal driving. The deceptive code went undetected by regulators for years.

Attackers inserted malicious code into SolarWinds Orion software updates, which were then digitally signed and distributed to thousands of customers, including U.S. government agencies. The compromised software went undetected for months despite proper code signing.

A severe vulnerability in the widely used Log4j logging library (CVE-2021-44228) allowed remote code execution and affected thousands of applications. The flaw had been present in the code since 2013 but remained undetected due to the complexity of analyzing software dependencies.

Current research focuses on several areas:

• Mathematical foundations: Developing formal methods for modeling and reasoning about software behavior
• Scalable analysis: Creating modular, composable analysis frameworks that can handle large-scale software systems
• Execution modeling: Improving simulation of software operating environments
• Automated model generation: Using AI to generate analysis models from existing code
• Human-machine collaboration: Designing tools that effectively combine automated analysis with human expertise

• Code review
• Formal verification
• Program analysis
• Reverse engineering
• Software assurance
• Software maintenance
• Static program analysis