TWC: Medium: Collaborative: Developer Crowdsourcing: Capturing, Understanding, and Addressing Security-related Blind Spots in APIs

TWC：媒介：协作：开发者众包：捕获、理解和解决 API 中与安全相关的盲点

• 批准号: 1513055
• 负责人: Yuriy Brun
• 金额: $ 38.28万
• 依托单位: University of Massachusetts Amherst
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1513055&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Developer; Crowdsourcing

Despite an emphasis the security community places on the importance of producing secure software, the number of new security vulnerabilities in software increases every year. This research is based on the assumption that software vulnerabilities are caused by misunderstandings, or lack of knowledge, called blind spots, which the developers experience while they are building systems. When building systems, developers often focus more on functional requirements than on non-functional ones, such as security. Thus, they can make design decisions that prioritize functionality without noticing the security vulnerabilities these decisions create. Today, developers often have no access to effective software tools that highlight these vulnerabilities during development. This research identifies common developer blind spots with the goal of building and evaluating practical software tools that help prevent blind spots during development and detect vulnerabilities in deployed software.To capture developers' reasoning when faced with blind spots, and to identify common blind spot characteristics, this research converts several identified blind spots into programming puzzles, and conducts a user study with developers solving these puzzles. Statistical analysis of the developers' answers identifies common characteristics among blind spots, and the observations of developers' behaviors guide the creation of tools to automatically detect blind spots and to warn developers about them as developers experience them. The tools have two complementary goals: (1) prevent blind spots from occurring by cueing developers on-the-spot about potential blind spots as they write code, and (2) identify software vulnerabilities in existing applications by detecting code that may have been written as a result of a blind spot. This research evaluates these newly developed tools in the context of a user study with developers, producing the following outcomes: (1) understanding of blind spots in application programming interfaces (APIs), and of developers' attentional and decision processes when writing code using APIs, (2) understanding of how to notify, without habituation and annoyance, developers on-the-spot about blind spots so that relevant security information is used by developers while writing code, (3) creation of open-source, publicly available developer tools that notify developers about blind spots and facilitate detection of vulnerabilities caused by blind spots, and (4) development of guidelines for better API design to minimize blind spots by considering developers' attentional and decision processes. This research addresses an important gap in secure software development by incorporating the human factor of the development process. This is particularly crucial given our society's increasing dependence on software applications.

尽管安全社区强调生产安全软件的重要性，但软件中新的安全漏洞的数量每年都在增加。这项研究是基于这样的假设，即软件漏洞是由误解或缺乏知识造成的，称为盲点，开发人员在构建系统时会遇到这些盲点。在构建系统时，开发人员通常更关注功能性需求，而不是非功能性需求，例如安全性。因此，他们可以做出优先考虑功能的设计决策，而不会注意到这些决策产生的安全漏洞。今天，开发人员通常无法获得有效的软件工具，在开发过程中突出这些漏洞。本研究以开发人员的共同盲点为研究对象，旨在构建和评估实用的软件工具，以帮助开发人员在开发过程中预防盲点，并检测已部署软件中的漏洞。为了捕捉开发人员在面对盲点时的推理，并确定共同盲点的特征，本研究将几个已识别的盲点转换为编程难题，并与解决这些难题的开发人员进行用户研究。对开发人员答案的统计分析确定了盲点中的共同特征，对开发人员行为的观察指导了工具的创建，以自动检测盲点，并在开发人员遇到盲点时警告开发人员。这些工具有两个互补的目标：（1）通过在开发人员编写代码时提示他们潜在的盲点来防止盲点的发生，以及（2）通过检测可能由于盲点而编写的代码来识别现有应用程序中的软件漏洞。这项研究在与开发人员进行用户研究的背景下评估了这些新开发的工具，产生了以下结果：（1）了解应用程序编程接口（API）中的盲点，以及开发人员在使用API编写代码时的注意力和决策过程，（2）了解如何通知，而不习惯和烦恼，开发人员在现场了解盲点，以便开发人员在编写代码时使用相关的安全信息，（3）创建开源的、公开可用的开发人员工具，其通知开发人员盲点并促进检测由盲点引起的漏洞，以及（4）制定更好的API设计指南，通过考虑开发人员的注意力和决策过程，最大限度地减少盲点。这项研究解决了一个重要的差距，在安全的软件开发，将开发过程中的人为因素。鉴于我们的社会对软件应用程序的依赖性越来越大，这一点尤为重要。

项目成果

Automatically Generating Precise Oracles from Structured Natural Language Specifications

• DOI: 10.1109/icse.2019.00035
• 发表时间: 2019-05
• 期刊: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)
• 作者: Manish Motwani;Yuriy Brun