SaTC: CORE: Small: Characterizing Architectural Vulnerabilities

SaTC：核心：小：描述架构漏洞

• 批准号: 1816845
• 负责人: Mehdi Mirakhorli
• 金额: $ 43.91万
• 依托单位: Rochester Institute of Tech
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1816845&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Characterizing; Architectural

Software architecture plays a fundamental role in addressing security requirements by enforcing the necessary authentication, authorization, confidentiality, data integrity, privacy, accountability, availability and non-repudiation requirements, even when the system is under attack. Therefore, a design flaw in a software system's architecture could lead to attacks with enormous consequences. Most of the research, techniques, and tools that address security focus on secure coding. However, it is difficult to achieve a high level of security (and other quality attributes) by focusing solely at the coding level. Architectural design flaws can overwhelm even the most heroic coding efforts, and ignoring such issues can result in backdoors into systems and severe software vulnerabilities.This project presents the transformative notion of a Common Architectural Weakness Enumeration (CAWE), defined as a catalog of commonly-occurring flaws in the design and implementation of a system's security architecture that can result in severe vulnerabilities and security breaches. Additionally, this work will develop a novel approach for automating the detection of common architectural weaknesses. It combines concepts and techniques from the software reflexion model, program analysis, as well as pattern matching techniques to develop new algorithms for mapping CAWEs to an application's source code and detecting potential architectural vulnerability. In this project, software vulnerabilities will be extracted from the National Vulnerability Database (NVD) and large scale empirical studies will be conducted to investigate relationships between architectural flaws and software vulnerabilities. This project is expected to advance software security knowledge on the theoretical foundation, concepts, and automated tools to (1) characterize architectural vulnerabilities and security design flaws that can result in severe security breaches, and (2) automatically identify architectural weaknesses in the source code of a system and suggest appropriate mitigation techniques to fix them. The results of the project will contribute towards enhancing the state of practice for software assurance and cyber security. The CAWE catalog will provide the tool development sector of software security industry with benchmarks to assess existing software assurance tools. Our automated technique to detect architectural weaknesses will complement existing static and dynamic source code analysis techniques. Ongoing research opportunities will be provided for a diverse group of undergraduate and graduate students. Research and pedagogical materials will be developed and made publicly available for use in a variety of courses in software architecture and software security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

软件体系结构在满足安全要求方面发挥着根本作用，即使在系统受到攻击的情况下，也能执行必要的认证、授权、保密性、数据完整性、隐私、问责制、可用性和不可否认性要求。因此，软件系统架构中的设计缺陷可能导致具有巨大后果的攻击。大多数解决安全问题的研究、技术和工具都集中在安全编码上。然而，仅仅关注编码级别很难实现高级别的安全性（和其他质量属性）。架构设计缺陷甚至可以压倒最英勇的编码工作，忽略这些问题可能会导致后门进入系统和严重的软件漏洞。该项目提出了通用架构弱点枚举（CAWE）的变革性概念，定义为系统安全架构的设计和实现中常见的缺陷目录，这些缺陷可能导致严重的漏洞和安全漏洞。 此外，这项工作将开发一种新的方法来自动检测常见的架构弱点。它结合了软件反射模型，程序分析，以及模式匹配技术的概念和技术，开发新的算法映射CAWE应用程序的源代码和检测潜在的架构漏洞。在这个项目中，软件漏洞将从国家漏洞数据库（NVD）中提取，并进行大规模的实证研究，以调查架构缺陷和软件漏洞之间的关系。该项目预计将在理论基础，概念和自动化工具方面推进软件安全知识，以（1）描述可能导致严重安全漏洞的架构漏洞和安全设计缺陷，以及（2）自动识别系统源代码中的架构弱点，并建议适当的缓解技术来修复它们。该项目的成果将有助于加强软件保证和网络安全的实践状况。CAWE目录将为软件安全行业的工具开发部门提供评估现有软件保证工具的基准。我们的自动化技术来检测架构的弱点将补充现有的静态和动态源代码分析技术。正在进行的研究机会将提供给不同群体的本科生和研究生。研究和教学材料将被开发并公开提供给软件架构和软件安全的各种课程使用。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。

项目成果

Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems

• DOI: 10.1145/3387940.3392222
• 发表时间: 2020-06
• 期刊: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops
• 作者: Joanna C. S. Santos;Selma Suloglu;J. Ye;Mehdi Mirakhorli

An Automated Approach to Recover the Use-case View of an Architecture

恢复架构用例视图的自动化方法

• DOI: 10.1109/icsa-c50368.2020.00020
• 发表时间: 2020
• 期刊: 2020 IEEE International Conference on Software Architecture Companion (ICSA-C
• 作者: Joanna Santos, C. S.;Moshtari, Sara;Mirakhorli, Mehdi
• 通讯作者: Mirakhorli, Mehdi

Counterfeit object-oriented programming vulnerabilities: an empirical study in Java

• DOI: 10.1145/3549035.3561183
• 发表时间: 2022-11
• 期刊: Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security
• 作者: Joanna C. S. Santos;Xueling Zhang;Mehdi Mirakhorli

An empirical study of tactical vulnerabilities

• DOI: 10.1016/j.jss.2018.10.030
• 发表时间: 2019-03
• 期刊: J. Syst. Softw.
• 作者: Joanna C. S. Santos;K. Tarrit;Adriana Sejfia;Mehdi Mirakhorli;M. Galster

Understanding Software Security from Design to Deployment

了解从设计到部署的软件安全性

• DOI: 10.1145/3385678.3385687
• 发表时间: 2020
• 期刊: ACM SIGSOFT Software Engineering Notes
• 作者: Mirakhorli, Mehdi;Galster, Matthias;Williams, Laurie
• 通讯作者: Williams, Laurie