Building and Monitoring Security in Emerging Softwarized Systems

在新兴软件化系统中构建和监控安全性

• 批准号: RGPIN-2020-03980
• 负责人: Zulkernine, Mohammad
• 金额: $ 4.01万
• 依托单位: Queen's University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=716749
• 关键词: Building; Monitoring; Security; Emerging; Softwarized

The security of softwarized systems (i.e., software-centric or software-controlled systems) is critical to ensure that evolving digital environments remain both safe and effective. The growing complexity of softwarized systems (that is, transitioning from hardware-driven to software-driven systems) and their constantly changing runtime environments require a significant increase in the capability of security analysts and software engineers to monitor their security. To timely deliver software capabilities for emerging domains (e.g., cloud) or applications (e.g., connected vehicles), software providers prioritize functionality over security, resulting in a system vulnerable to attacks. The proposed research will innovate a variety of automated techniques for secure softwarization by addressing security issues in different stages of a development life cycle and subsequent monitoring at runtime. This research will develop methods and tools for intrusion scenario description and automatic signature generation from the scenarios. A monitoring system will be developed to detect intrusions into software systems by comparing their operational behavior with the generated signatures. Commonly recurring security problems can be addressed using security patterns. Such patterns will be used to realize security requirements in software design, with security violation detected by automatic runtime analysis of the patterns. Motivated by an increased recognition of the importance of prioritizing both security and functionality, softwarized systems are turning to cloud for Software as a Service (SaaS) to instantly access or update various software capabilities via the internet. This research will provide a novel comprehensive platform to incorporate security activities and services at different phases of the SaaS development lifecycle. The platform will provide end to end information protection and harden SaaS applications against prevalent security threats. Vehicles are being softwarized very rapidly, inevitably making connected and autonomous vehicles (CAVs) soft targets of cyber-attacks. Existing software development methodologies do not address the range of security challenges encountered in developing software for modern softwarized vehicles. This research will apply the above-mentioned software development and monitoring tools and techniques to improve CAV software security. The proposed research program will play a vital role in advancing the state of the art of security in emerging complex softwarized systems. The program is in alignment with the Government of Canada's immediate need for cybersecurity experts to protect Canadians from cyberattacks. The program will consider and promote equity, diversity and inclusion (EDI) and facilitate a unique training environment for five graduate students per year by incorporating both software engineering and security engineering principles and collaborating closely with our various Canadian industry connections.

软件化系统(即以软件为中心或软件控制的系统)的安全对于确保不断发展的数字环境既安全又有效至关重要。软件化系统(即从硬件驱动的系统过渡到软件驱动的系统)及其不断变化的运行时环境的日益复杂要求安全分析师和软件工程师大幅提高监控其安全性的能力。为了及时为新兴领域(如云)或应用程序(如联网车辆)提供软件功能，软件提供商将功能置于安全之上，从而导致系统容易受到攻击。 拟议的研究将通过解决开发生命周期不同阶段的安全问题和随后的运行时监控来创新各种自动化技术，以实现安全软件。本研究将开发入侵场景描述和从场景中自动生成签名的方法和工具。将开发一个监测系统，通过将软件系统的操作行为与生成的签名进行比较来检测对软件系统的入侵。通常重复出现的安全问题可以使用安全模式来解决。这些模式将用于实现软件设计中的安全需求，并通过模式的自动运行时分析来检测安全违规。随着人们越来越认识到优先考虑安全和功能的重要性，软件化系统正转向云，以实现软件即服务(SaaS)，以便通过互联网即时访问或更新各种软件功能。这项研究将提供一个新颖的综合平台，以整合SaaS开发生命周期不同阶段的安全活动和服务。该平台将提供端到端的信息保护，并加强SaaS应用程序以抵御普遍存在的安全威胁。汽车的软件化速度非常快，不可避免地使联网和自动驾驶汽车(CAV)成为网络攻击的软目标。现有的软件开发方法不能解决在为现代软件化车辆开发软件时遇到的一系列安全挑战。本研究将应用上述软件开发和监控工具和技术来提高CAV软件的安全性。 拟议的研究计划将在推动新兴复杂软件系统的安全技术水平方面发挥至关重要的作用。该计划符合加拿大政府对网络安全专家的迫切需求，以保护加拿大人免受网络攻击。该计划将考虑和促进公平、多样性和包容性(EDI)，并通过纳入软件工程和安全工程原则并与我们在加拿大的各种行业关系密切合作，促进每年为五名研究生提供独特的培训环境。