EDU: Competing to Build Secure Systems

EDU：竞争构建安全系统

• 批准号: 1319147
• 负责人: Michael Hicks
• 金额: $ 30万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-09-15 至 2016-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1319147&HistoricalAwards=false
• 关键词: EDU; Competing; Build; Secure; Systems

Even as security has long been a tenet of good programming practice, developers continue to produce insecure software resulting in a litany of data breaches and other compromises. This project aims to improve education on secure software development and add evidence to understanding methods, tools, techniques, and other factors that best contribute to writing secure code. The project centers on a novel multiphase programming competition that combines ideas from two traditionally disparate kinds of contests: those for building code and those for finding bugs in others' code. In phase one, contestants are tasked with building secure code. In phase two, contestants perform vulnerability analyses to attempt to break the code submitted by the other contestants in the first phase. The original builders finally aim to fix exploits discovered in phase two to recover lost points. Educators, practitioners, and policymakers broadly view secure code as important, and yet there is little consensus as to how best to teach and encourage secure-programming practices. By developing a competition, this project creates a setting that is more engaging to students, improving learning outcomes, and moreover enables greater insight into both practice and pedagogy through the analysis of data on how the participants approach secure programming, what techniques they use, and what methodologies succeed or fail for different programming tasks. The educational impact is significant, as the competition scales to hundreds of participants over two years, improving the design of the contest based on each offering. The artifacts and data produced by this project are made freely available to assist secure-programming endeavors across educational institutions. Finally, the students involved in the design, implementation, and execution of the contest are trained in advanced research and pedagogical methods.

尽管安全性长期以来一直是良好编程实践的原则，但开发人员继续生产不安全的软件，导致一连串的数据泄露和其他妥协。该项目旨在改善安全软件开发的教育，并为理解最有助于编写安全代码的方法，工具，技术和其他因素提供证据。该项目以一种新颖的多阶段编程竞赛为中心，它结合了两种传统上完全不同的竞赛的想法：构建代码的竞赛和在他人代码中发现错误的竞赛。在第一阶段，参赛者的任务是构建安全代码。在第二阶段，参赛者执行漏洞分析，试图破解其他参赛者在第一阶段提交的代码。最初的构建者最终的目标是修复在第二阶段发现的漏洞，以恢复丢失的积分。教育工作者、实践者和政策制定者普遍认为安全代码非常重要，但对于如何最好地教授和鼓励安全编程实践，几乎没有达成共识。通过开发竞赛，该项目创建了一个更吸引学生的环境，提高学习成果，并通过分析参与者如何处理安全编程，他们使用什么技术以及不同编程任务的成功或失败方法的数据，更深入地了解实践和教学法。教育影响是显着的，因为比赛规模超过两年数百名参与者，改进了基于每个产品的比赛设计。该项目产生的工件和数据可以免费提供，以帮助教育机构的安全编程工作。最后，参与竞赛设计、实施和执行的学生将接受先进的研究和教学方法的培训。