RIT researchers are making software secure by design

In the Global Cybersecurity Institute’s new research space, RIT experts are tackling some of the most pressing computing security problems of today.

These researchers include Mehdi Mirakhorli, associate professor of software engineering, and his student team. Together, they are working to make large-scale software systems more secure and resilient.

“Fifty percent of vulnerabilities in today’s software systems are because of design flaws,” said Mirakhorli, who was named Kodak Endowed Scholar in the Golisano College of Computing and Information Sciences. “Today, we patch security bugs, but we don’t get to the root of the problem and identify architectural flaws in the software.”

Software architecture goes beyond just code, explained Mirakhorli. It starts by looking at the unique set of goals that a system needs to accomplish. Whether it’s a banking system or electronic medical records, most software requires reliability, availability, security and performance. However, if the pieces don’t fit together perfectly, the whole system can crumble.

“Not all programmers are designers that understand these important software design principles,” said Mirakhorli. “However, it takes years of experience to become a designer and they are expensive, so we have fewer of them in the industry.”

To help fill this knowledge gap, and make it easier for programmers to put design first, Mirakhorli and his team are finding ways to make software design more intuitive. With more than $4 million in support from the National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA) and other organizations, they are developing tools and techniques to help coders take an architectural approach to software design.

Changing the culture of development

‌

Elizabeth Lamark

Mehdi Mirakhorli, an associate professor of software engineering, is leading an RIT cybersecurity research effort to make software secure by design.

As a teacher, Mirakhorli noticed a lack of emphasis on design thinking in the classroom. Many computing students don’t learn about software architecture until the end of college or even when they’re already in industry.

That’s why Mirakhorli made it his long-term goal to synthesize software design into something more intuitive, particularly for new learners and novice programmers.

In 2020, he received a prestigious NSF Faculty Early Career Development (CAREER) award for his efforts in software architecture.

His project aims to change software design and programming from a purely manual and exclusive task, to one in which a programmer and an automated design synthesis tool can collaborate to generate software design and implementation that meets its quality attributes scenarios.

“I’m essentially creating a new programming language that makes it easier for people to express design intent,” said Mirakhorli. “This tool would walk programmers through architecture step-by-step and tell them if they’re violating any design principles. This will lead to fewer errors and security problems.”

For example, a programmer who is excited about adding a login and password to their system, might not know exactly where to place their technology. If they
locate it on the client-side, they could expose their system to an authentication bypass vulnerability.

With Mirakhorli’s tool in-hand, a programmer would automatically be made aware of this vulnerability and learn how to mitigate it.

As part of the CAREER award, Mirakhorli is looking at software design from a cognitive perspective. He meets with new students, novice programmers and expert designers to learn how different people approach architecture problems. He is also developing artificial intelligence that can learn best practices from good software systems out in the world today.

“With this new tool, everyone can start using design thinking from the very beginning,” Mirakhorli said. “This will make our software secure by construction.”

Tools to guide good architecture 

The RIT research team is also developing tools and techniques that can be used
by programmers to detect more vulnerabilities and be more productive.

To better understand current architectural vulnerabilities, Mirakhorli’s team cataloged more than 200 known architectural flaws that can lead to security vulnerabilities. The project is called the Common Architectural Weaknesses Enumeration and it’s supported by the National Cyber Security Division at the Department of Homeland Security and MITRE Corp.

In another study, Danielle Gonzalez, a computing and information sciences Ph.D. student, and Mirakhorli examined common security architectural weaknesses in Industrial Control Systems (ICS)—the units that support manufacturing, electrical power grids and many other critical infrastructures.

After looking at nearly 1,000 vulnerability reports, the team found that almost 63 percent of vulnerability disclosures in ICS had an architectural root cause. The most common architectural weakness was improper input validation. The human-machine interfaces in these systems happened to be the most affected components.

“Many of these systems were not originally designed with internet connectivity in mind, but they are being adapted with new technology that allows managers to do things like monitor a station from their smartphone,” said Gonzalez, who is from Franklinville, N.Y. “We need to pay attention to these security issues and how adding technology affects the architecture.”

Using these findings, the researchers in RIT’s Software Design and Productivity Lab are creating guidelines that can help current programmers with resilient architecture, testing validation and using application programming interfaces (API).

In a project funded by DARPA, Mirakhorli is detecting design flaws at the model level, to ensure that systems are reliable and resilient to cyber incidents. The project, called Achilles, looks for any major architecture weaknesses that could bring a system down entirely.

“For example, if any software module on an airplane crashes mid-flight, we still want it to be reactive to ensure that the plane is functional,” said Mirakhorli.  “We want to make sure that fault detection and recovery mechanisms don’t have any design flaws that compromise safety and resiliency.”

In another project, Gonzalez is working to support developer’s efforts to test their implementations of security-related design decisions. She has created several resources, including a guide for unit testing authentication.

“Programmers are not necessarily used to writing security-minded test cases, so these resources help by explaining exactly what to test for security-related code and how to test it,” said Gonzalez. “As we work to incorporate security into earlier phases of software development, it’s important to support programmers as they adjust to these changes.”

Another important concern that researchers have regarding software architecture, is making sure it’s correctly implemented in a program. Ali Shokri, a computing and information sciences Ph.D. student from Iran, is developing an approach—called ArCode—that helps programmers correctly implement architectural tactics and patterns. 

ArCode aims to work as a learning process, by inferring correct ways to incorporate APIs of application frameworks in a program. It then analyzes any under development in the program to identify deviations from the correct implementation. Finally, it provides recommendations on how to fix the problem.

With this approach, Shokri hopes to find errors that compilers are not able to identify—known as semantic errors—and help programmers fix them to avoid software crashes in the runtime, which can cause severe damage. 

RIT researchers have other answers for coding problems too. Joanna C. S. Santos, a computing and information sciences Ph.D. student, wants to help programmers who make simple mistakes in input validation. She is creating DODO, a tool that automatically analyzes a program’s source code.

“It’s like when you forget to lock your door—mistakes happen,” said Santos, who is from Brazil. “Programmers will miss a validation or have a broken validation.”

For the project, she looked at three large open source systems and found  that input validation problems were the most common error in that software.  By observing common validation problems and using artificial intelligence to collect data, Santos is working to develop a sound program analysis that allows her tool to pinpoint where errors might occur.

Learn more about RIT’s computing security research on the Global Cybersecurity Institute website.