SaTC: CORE: Small: Characterizing Architectural Vulnerabilities

SaTC：核心：小：描述架构漏洞

• 批准号: 1816845
• 负责人: Mehdi Mirakhorli
• 金额: $ 43.91万
• 依托单位: Rochester Institute of Tech
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1816845&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Characterizing; Architectural

Software architecture plays a fundamental role in addressing security requirements by enforcing the necessary authentication, authorization, confidentiality, data integrity, privacy, accountability, availability and non-repudiation requirements, even when the system is under attack. Therefore, a design flaw in a software system's architecture could lead to attacks with enormous consequences. Most of the research, techniques, and tools that address security focus on secure coding. However, it is difficult to achieve a high level of security (and other quality attributes) by focusing solely at the coding level. Architectural design flaws can overwhelm even the most heroic coding efforts, and ignoring such issues can result in backdoors into systems and severe software vulnerabilities.This project presents the transformative notion of a Common Architectural Weakness Enumeration (CAWE), defined as a catalog of commonly-occurring flaws in the design and implementation of a system's security architecture that can result in severe vulnerabilities and security breaches. Additionally, this work will develop a novel approach for automating the detection of common architectural weaknesses. It combines concepts and techniques from the software reflexion model, program analysis, as well as pattern matching techniques to develop new algorithms for mapping CAWEs to an application's source code and detecting potential architectural vulnerability. In this project, software vulnerabilities will be extracted from the National Vulnerability Database (NVD) and large scale empirical studies will be conducted to investigate relationships between architectural flaws and software vulnerabilities. This project is expected to advance software security knowledge on the theoretical foundation, concepts, and automated tools to (1) characterize architectural vulnerabilities and security design flaws that can result in severe security breaches, and (2) automatically identify architectural weaknesses in the source code of a system and suggest appropriate mitigation techniques to fix them. The results of the project will contribute towards enhancing the state of practice for software assurance and cyber security. The CAWE catalog will provide the tool development sector of software security industry with benchmarks to assess existing software assurance tools. Our automated technique to detect architectural weaknesses will complement existing static and dynamic source code analysis techniques. Ongoing research opportunities will be provided for a diverse group of undergraduate and graduate students. Research and pedagogical materials will be developed and made publicly available for use in a variety of courses in software architecture and software security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

软件体系结构在解决必要的身份验证，授权，保密性，数据完整性，隐私，问责制，可用性和非撤销要求中，即使系统受到攻击，可以通过执行必要的身份验证，授权，保密性，数据完整性，隐私性，问责制，责任性，可用性，可用性和非撤销要求，在解决安全要求方面发挥着基本作用。因此，软件系统体系结构中的设计缺陷可能会导致巨大后果的攻击。解决安全性的大多数研究，技术和工具都集中在安全编码上。但是，很难通过仅专注于编码水平来实现高度的安全性（和其他质量属性）。建筑设计缺陷甚至可以压倒最英勇的编码工作，而忽略此类问题可能会导致后门进入系统和严重的软件漏洞。该项目提出了常见的建筑无力枚举（CAWE）的变革性概念，被定义为常见的杂种范围的繁重范围，可以使系统的设计和实施阶级的整体范围进行整理。 此外，这项工作将开发出一种新型方法，用于自动检测常见的建筑弱点。它结合了软件反射模型，程序分析以及模式匹配技术的概念和技术，以开发新算法，以将CAWES映射到应用程序的源代码并检测潜在的建筑脆弱性。在该项目中，将从国家漏洞数据库（NVD）中提取软件漏洞，并将进行大规模的经验研究，以研究建筑缺陷与软件漏洞之间的关系。预计该项目将提高有关理论基础，概念和自动化工具的软件安全知识，以（1）表征建筑脆弱性和安全设计缺陷，这些缺陷可能导致严重的安全漏洞，并且（2）自动在系统的源代码中自动识别系统源代码中的建筑弱点，并提出适当的缓解技术来修复它们。该项目的结果将有助于增强软件保证和网络安全的实践状态。 Cawe目录将为软件安全行业的工具开发领域提供基准，以评估现有的软件保证工具。我们检测建筑弱点的自动化技术将补充现有的静态和动态源代码分析技术。将为各种各样的本科生和研究生提供持续的研究机会。研究和教学材料将被开发并公开用于软件体系结构和软件安全的各种课程中。该奖项反映了NSF的法定任务，并使用基金会的知识分子优点和更广泛的影响审查标准，认为值得通过评估来获得支持。

项目成果

Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems

• DOI: 10.1145/3387940.3392222
• 发表时间: 2020-06
• 期刊: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops
• 作者: Joanna C. S. Santos;Selma Suloglu;J. Ye;Mehdi Mirakhorli

An Automated Approach to Recover the Use-case View of an Architecture

恢复架构用例视图的自动化方法

• DOI: 10.1109/icsa-c50368.2020.00020
• 发表时间: 2020
• 期刊: 2020 IEEE International Conference on Software Architecture Companion (ICSA-C
• 作者: Joanna Santos, C. S.;Moshtari, Sara;Mirakhorli, Mehdi
• 通讯作者: Mirakhorli, Mehdi

Counterfeit object-oriented programming vulnerabilities: an empirical study in Java

• DOI: 10.1145/3549035.3561183
• 发表时间: 2022-11
• 期刊: Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security
• 作者: Joanna C. S. Santos;Xueling Zhang;Mehdi Mirakhorli

Understanding Software Security from Design to Deployment

了解从设计到部署的软件安全性

• DOI: 10.1145/3385678.3385687
• 发表时间: 2020
• 期刊: ACM SIGSOFT Software Engineering Notes
• 作者: Mirakhorli, Mehdi;Galster, Matthias;Williams, Laurie
• 通讯作者: Williams, Laurie

An empirical study of tactical vulnerabilities

• DOI: 10.1016/j.jss.2018.10.030
• 发表时间: 2019-03
• 期刊: J. Syst. Softw.
• 作者: Joanna C. S. Santos;K. Tarrit;Adriana Sejfia;Mehdi Mirakhorli;M. Galster