Software

group_project

Visible to the public  EDU: Collaborative: Using Virtual Machine Introspection for Deep Cyber Security Education

Cybersecurity is one of the most strategically important areas in computer science, and also one of the most difficult disciplines to teach effectively. Historically, hands-on cyber security exercises helped students reinforce basic concepts, but most of them focused on user level attacks and defenses. Since OS kernels provide the foundations to the applications, any compromise to OS kernels will lead to an entirely untrusted computing. Therefore, it is imperative to teach students the practice of kernel level attacks and defenses.

group_project

Visible to the public SaTC-EDU: EAGER: Peer Instruction for Cybersecurity Education

Engineering a secure IT system, in addition to technical skills, requires a particular mindset focused on using cybersecurity solutions effectively against sophisticated and stealthy cyber attacks. The traditional lecture-centric style of teaching has failed to deliver that mindset, which is the direct result of an over-emphasis on specific technical skills (with limited lifespan and insufficient technical depth), abstract rather than deeply technical examination of fundamental concepts, and an impatience in developing broader analytical skills.

group_project

Visible to the public Collaborative: Development and Testing of a Secure Programming Clinic

This capacity building project will create Secure Programming Clinic to enhance student learning and expertise in writing robust, secure software, analogous to a writing clinic in an English department or law school. It provides continual reinforcement of the mechanisms, methods, technologies, and need for programming with security and robustness considerations throughout a student's undergraduate coursework. The clinic would augment courses, not replace them or their content.

group_project

Visible to the public TWC: Small: Collaborative: Discovering Software Vulnerabilities through Interactive Static Analysis

Software development is a complex and manual process, in part because typical software programs contain more than hundreds of thousands lines of computer code. If software programmers fail to perform critical checks in that code, such as making sure a user is authorized to update an account, serious security compromises ensue. Indeed, vulnerable software is one of the leading causes of cyber security problems. Checking for security problems is very expensive because it requires examining computer code for security mistakes, and such a process requires significant manual effort.

group_project

Visible to the public  TWC: Medium: Language-Hardware Co-Design for Practical and Verifiable Information Flow Control

Current cloud computing platforms, mobile computing devices, and embedded devices all have the security weakness that they permit information flows that violate the confidentiality or integrity of information. This project explores an integrated approach in which software and hardware are co-designed with strong, comprehensive, verifiable security assurance. The goal is to develop a methodology for designing systems in which all forms of information flow are tracked, at both the hardware and software levels, and between these levels.

group_project

Visible to the public TWC: Small: Practical Assured Big Data Analysis in the Cloud

The use of "cloud technologies" presents a promising avenue for the requirements of big data analysis. Security concerns however represent a major impediment to the further adoption of clouds: through the sharing of cloud resources, an attack succeeding on one node can tamper with many applications sharing that node.

group_project

Visible to the public Forum on Cyber Resilience

This project provides support for a National Academies Roundtable, the Forum on Cyber Resilience. The Forum will facilitate and enhance the exchange of ideas among scientists, practitioners, and policy makers concerned with the resilience of computing and communications systems, including the Internet, critical infrastructure, and other societally important systems.

group_project

Visible to the public EDU: Deploying and Evaluating Secure Programming Education in the IDE

A number of researchers have advocated that secure programming instruction be integrated across a computing curriculum but there have been relatively few efforts examining how to successfully do so. The proposed research expands upon a previous project by focusing on advanced computing students and courses. The proposed activities include expanding ESIDE tool implementation to support a broader range of security guidelines and code, providing increased contextualization of the instructional materials within the tool, and developing materials and practices for faculty adopting the tool.

group_project

Visible to the public TWC: Medium: Collaborative: Developer Crowdsourcing: Capturing, Understanding, and Addressing Security-related Blind Spots in APIs

Despite an emphasis the security community places on the importance of producing secure software, the number of new security vulnerabilities in software increases every year. This research is based on the assumption that software vulnerabilities are caused by misunderstandings, or lack of knowledge, called blind spots, which the developers experience while they are building systems. When building systems, developers often focus more on functional requirements than on non-functional ones, such as security.

group_project

Visible to the public CRII: SaTC: Lockdown: Guarded Control-Flow and Data Privacy for Sensitive Data

Software systems are under constant attack: extracting sensitive data from running computer systems is a prime and highly lucrative target for attackers. Yet, current defense mechanisms fail to protect confidential or private data along with the integrity and availability of the underlying system. While it is important to find and fix vulnerabilities, it is unlikely that all vulnerabilities will ever be discovered. Therefore, there is an argument to be had for stronger defense mechanisms that protect software systems even in the presence of vulnerabilities.