Award Abstract # 1816845
SaTC: CORE: Small: Characterizing Architectural Vulnerabilities

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: ROCHESTER INSTITUTE OF TECHNOLOGY
Initial Amendment Date: August 30, 2018
Latest Amendment Date: April 13, 2020
Award Number: 1816845
Award Instrument: Standard Grant
Program Manager: Sol Greenspan
sgreensp@nsf.gov  (703)292-7841
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2018
End Date: September 30, 2022 (Estimated)
Total Intended Award Amount: $439,135.00
Total Awarded Amount to Date: $450,135.00
Funds Obligated to Date: FY 2018 = $439,135.00
FY 2020 = $11,000.00
History of Investigator:
  • Mehdi Mirakhorli (Principal Investigator)
     mehdi23@hawaii.edu
Recipient Sponsored Research Office: Rochester Institute of Tech
 1 LOMB MEMORIAL DR
 ROCHESTER
 NY  US  14623-5603
(585)475-7987
Sponsor Congressional District: 25
Primary Place of Performance: Rochester Institute of Tech
 134 Lomb Memorial Dr
 Rochester
 NY  US  14623-5608
Primary Place of Performance
Congressional District:		 25
Unique Entity Identifier (UEI): J6TWTRKC1X14
Parent UEI:
NSF Program(s): Special Projects - CNS,
Secure &Trustworthy Cyberspace
Primary Program Source: 01001819DB NSF RESEARCH & RELATED ACTIVIT
01002021DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 025Z, 7434, 7923, 9178, 9251
Program Element Code(s): 171400, 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Software architecture plays a fundamental role in addressing security requirements by enforcing the necessary authentication, authorization, confidentiality, data integrity, privacy, accountability, availability and non-repudiation requirements, even when the system is under attack. Therefore, a design flaw in a software system's architecture could lead to attacks with enormous consequences. Most of the research, techniques, and tools that address security focus on secure coding. However, it is difficult to achieve a high level of security (and other quality attributes) by focusing solely at the coding level. Architectural design flaws can overwhelm even the most heroic coding efforts, and ignoring such issues can result in backdoors into systems and severe software vulnerabilities.
This project presents the transformative notion of a Common Architectural Weakness Enumeration (CAWE), defined as a catalog of commonly-occurring flaws in the design and implementation of a system's security architecture that can result in severe vulnerabilities and security breaches. Additionally, this work will develop a novel approach for automating the detection of common architectural weaknesses. It combines concepts and techniques from the software reflexion model, program analysis, as well as pattern matching techniques to develop new algorithms for mapping CAWEs to an application's source code and detecting potential architectural vulnerability.

In this project, software vulnerabilities will be extracted from the National Vulnerability Database (NVD) and large scale empirical studies will be conducted to investigate relationships between architectural flaws and software vulnerabilities. This project is expected to advance software security knowledge on the theoretical foundation, concepts, and automated tools to (1) characterize architectural vulnerabilities and security design flaws that can result in severe security breaches, and (2) automatically identify architectural weaknesses in the source code of a system and suggest appropriate mitigation techniques to fix them. The results of the project will contribute towards enhancing the state of practice for software assurance and cyber security. The CAWE catalog will provide the tool development sector of software security industry with benchmarks to assess existing software assurance tools. Our automated technique to detect architectural weaknesses will complement existing static and dynamic source code analysis techniques. Ongoing research opportunities will be provided for a diverse group of undergraduate and graduate students. Research and pedagogical materials will be developed and made publicly available for use in a variety of courses in software architecture and software security.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Gonzalez, Danielle and Alhenaki, Fawaz and Mirakhorli, Mehdi "Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities" 2019 IEEE International Conference on Software Architecture (ICSA) , 2019 10.1109/ICSA.2019.00012 Citation Details
Joanna Santos, C. S. and Moshtari, Sara and Mirakhorli, Mehdi "An Automated Approach to Recover the Use-case View of an Architecture" 2020 IEEE International Conference on Software Architecture Companion (ICSA-C) , 2020 https://doi.org/10.1109/ICSA-C50368.2020.00020 Citation Details
Mirakhorli, Mehdi and Galster, Matthias and Williams, Laurie "Understanding Software Security from Design to Deployment" ACM SIGSOFT Software Engineering Notes , v.45 , 2020 https://doi.org/10.1145/3385678.3385687 Citation Details
Santos, Joanna C. and Jones, Reese A. and Mirakhorli, Mehdi "Salsa: static analysis of serialization features" Proceedings of the 22nd ACM SIGPLAN International Workshop on Formal Techniques for Java-Like Programs , 2020 https://doi.org/10.1145/3427761.3428343 Citation Details
Santos, Joanna C. and Suloglu, Selma and Ye, Joanna and Mirakhorli, Mehdi "Towards an Automated Approach for Detecting Architectural Weaknesses in Critical Systems" ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops , 2020 https://doi.org/10.1145/3387940.3392222 Citation Details
Santos, Joanna C. and Zhang, Xueling and Mirakhorli, Mehdi "Counterfeit object-oriented programming vulnerabilities: an empirical study in Java" MSR4P&S 2022: Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security , 2022 https://doi.org/10.1145/3549035.3561183 Citation Details
Santos, Joanna C.S. and Tarrit, Katy and Sejfia, Adriana and Mirakhorli, Mehdi and Galster, Matthias "An empirical study of tactical vulnerabilities" Journal of Systems and Software , v.149 , 2019 10.1016/j.jss.2018.10.030 Citation Details

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Software architecture plays a fundamental role in addressing quality goals, such as security, privacy, safety, dependability, and performance. In order to satisfy a particular security requirement, architects typically consider several alternative architectural solutions, evaluate the trade-offs between them, identify the associated risks and costs of each, and finally select the best option, which should incur the least risks. Architectural design decisions are often based on well-known architectural tactics, defined as reusable techniques for achieving specific quality concerns. Security tactics provide solutions for enforcing the necessary authentication, authorization, confidentiality, data integrity, privacy, accountability, availability, safety and non-repudiation requirements, even when the system is under attack. Previous empirical studies report that about 50% of security problems result from software design flaws, such as misunderstanding architecturally significant requirements, poor architectural implementation, violation of design principles in the source code, and degradations of the security architecture. Flaws in a software system’s architecture can greatly impact various security issues, providing opportunities and flexibility to malicious users. Therefore, with a Design flaw in a software system’s architecture, successful attacks could lead to enormous consequences.

This project conducted several empirical studies to characterize architectural vulnerabilities. It provided an enhanced understanding of design weaknesses through a novel catalog of Common Architectural Weaknesses Enumeration (CAWE). Furthermore, it developed new techniques for detecting sample design weaknesses.


Last Modified: 02/19/2023
Modified by: Mehdi Mirakhorli

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top