EDU: Competing to Build Secure Systems

EDU：竞争构建安全系统

• 批准号: 1319147
• 负责人: Michael Hicks
• 金额: $ 30万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-15 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1319147&HistoricalAwards=false
• 关键词: EDU; Competing; Build; Secure; Systems; EDU; Competing; Build; Secure; Systems

Even as security has long been a tenet of good programming practice, developers continue to produce insecure software resulting in a litany of data breaches and other compromises. This project aims to improve education on secure software development and add evidence to understanding methods, tools, techniques, and other factors that best contribute to writing secure code. The project centers on a novel multiphase programming competition that combines ideas from two traditionally disparate kinds of contests: those for building code and those for finding bugs in others' code. In phase one, contestants are tasked with building secure code. In phase two, contestants perform vulnerability analyses to attempt to break the code submitted by the other contestants in the first phase. The original builders finally aim to fix exploits discovered in phase two to recover lost points. Educators, practitioners, and policymakers broadly view secure code as important, and yet there is little consensus as to how best to teach and encourage secure-programming practices. By developing a competition, this project creates a setting that is more engaging to students, improving learning outcomes, and moreover enables greater insight into both practice and pedagogy through the analysis of data on how the participants approach secure programming, what techniques they use, and what methodologies succeed or fail for different programming tasks. The educational impact is significant, as the competition scales to hundreds of participants over two years, improving the design of the contest based on each offering. The artifacts and data produced by this project are made freely available to assist secure-programming endeavors across educational institutions. Finally, the students involved in the design, implementation, and execution of the contest are trained in advanced research and pedagogical methods.

即使长期以来的安全性一直是良好的编程实践的宗旨，开发人员仍会生产不安全的软件，从而导致大量数据泄露和其他妥协。该项目旨在改善对安全软件开发的教育，并为了解最有助于编写安全代码的方法，工具，技术和其他因素添加证据。该项目集中在一项新型的多相编程竞赛中，该竞赛结合了两种传统不同种类的竞赛的想法：建筑代码的竞赛以及在他人代码中找到错误的竞赛。在第一阶段，参赛者的任务是构建安全代码。在第二阶段，参赛者执行脆弱性分析，以试图打破第一阶段其他参赛者提交的代码。原始的建筑商最终旨在修复第二阶段发现的漏洞以恢复丢失点。教育者，从业者和政策制定者广泛认为安全的代码很重要，但是关于如何最好地教授和鼓励安全编程的实践几乎没有共识。通过制定竞争，该项目可以通过分析有关参与者如何处理安全的编程，他们使用哪些技术以及哪些方法成功或在不同的编程任务中对不同的方法进行分析，从而使学生更具吸引力，改善学习成果，改善学习成果，并更深入地了解实践和教学法。教育影响很大，因为竞争在两年内扩展到​​数百名参与者，从而根据每次发行改进了比赛的设计。该项目生产的工件和数据可自由使用，以协助跨教育机构进行安全编程的努力。最后，参与竞赛设计，实施和执行的学生接受了高级研究和教学方法的培训。