Supporting software security by measuring, coordinating, and enforcing software trustworthiness

通过测量、协调和加强软件可信度来支持软件安全

• 批准号: 402445-2011
• 负责人: Locasto, Michael
• 金额: $ 2.48万
• 依托单位: University of Calgary
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2015
• 资助国家: 加拿大
• 起止时间: 2015-01-01 至 2016-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=573285
• 关键词: Supporting; software; security; measuring; coordinating

The public often has little guidance when selecting security software to defend their computers. What makes this problem so difficult is the lack of information on what specific parts of a computer system (and its software) various anti-virus, anti-spyware, and firewall software actually monitor and defend. Information security experts typically recommend multiple layers of defense (i.e., "defense-in-depth"), but there is little concrete evidence for judging what software to pick or determining the makeup of those layers. The key scientific issue here focuses on how to compose trust -- the notion that software will behave as expected -- in these systems. This work thus seeks to measure the composition of existing software protection mechanisms for how much of a computer they "cover." This work also proposes models for how to design security software to cooperate (rather than compete) because their competition typically results in unstable or crashing computers due to conflicting modifications. Pasting two or more security mechanisms together in the name of "defense-in-depth" and having them interact in unanticipated, counterproductive, or ultimately insecure ways does not seem very desirable. Although this research examines fundamentally hard scientific problems like how to compose trust relationships in software, the work in this proposal will have a very practical outcome: enabling end-users and organizations to more clearly understand what their chosen collection of protection mechanisms provides.

公众在选择安全软件来保护他们的计算机时往往没有什么指导。 使这个问题如此困难的是缺乏关于计算机系统（及其软件）的哪些特定部分的信息，各种反病毒，反间谍软件和防火墙软件实际上监视和防御。 信息安全专家通常建议多层防御（即，“纵深防御”），但几乎没有具体的证据来判断选择什么软件或确定这些层的组成。 这里的关键科学问题集中在如何在这些系统中构建信任--软件将按预期运行的概念。因此，这项工作旨在衡量现有的软件保护机制的组成，以确定它们“覆盖”计算机的多少。“这项工作还提出了如何设计安全软件进行合作（而不是竞争）的模型，因为它们的竞争通常会导致由于相互冲突的修改而导致计算机不稳定或崩溃。 以“深度防御”的名义将两个或多个安全机制粘贴在一起，并让它们以不可预见的、适得其反的或最终不安全的方式进行交互，这似乎不是很理想。 虽然这项研究从根本上探讨了如何在软件中构建信任关系等困难的科学问题，但这项提案中的工作将产生非常实际的结果：使最终用户和组织能够更清楚地了解他们选择的保护机制集合提供了什么。