Research

Student Projects

Grant Nelson

Title: Class Participation in Functions for Technical Debt Analysis of Procedural and Object Oriented Languages

Grant Nelson is researching programmatic Technical Debt analysis, focusing on analysis of procedural languages. During analysis of patterns and anti-patterns in object oriented languages, the membership of methods in classes is used as a metric. Procedural languages do not always specify a membership between functions and structures. Grant is looking into using the variable types of a function's arguments and the arguments' usage inside of the functions to determine a participation score. The participation score is a probability that a function may belong to a structure. If a participation score can be determined such that it can be used in place of the membership metric, then current pattern and anti-pattern analysis can be performed on procedural languages.

Karishma Rahman

Title: Metamorphic Testing for Web Application

Abstract: Software testing is a process that evaluates the software’s functionality by revealing its faults. The testing process can often be complicated and expensive for complex scientific applications. Automation of software testing, which automates parts of the testing process, is thus a practical solution and can make software development much more efficient and cost-effective. Various techniques are also being used to address the oracle problem in security testing, of which, Metamorphic Testing (MT) is one. My research focuses on applying Metamorphic Testing to detect vulnerabilities in web applications.

Prashanta Saha

Title: Improving The Effectiveness Of Metamorphic Testing Using Systematic Test Case Generation

Metamorphic testing is a well-known approach to tackle the oracle problem in software testing. This technique requires source test cases that serve as seeds for the generation of follow-up test cases. Systematic design of test cases is crucial for the test quality. Thus, source test case generation strategy can make a big impact on the fault detection effectiveness of metamorphic testing. Most of the previous studies on metamorphic testing have used either random test data or existing test cases as source test cases. There has been limited research done on systematic source test case generation for metamorphic testing. In my current research, I propose two different source test case generation techniques for testing scientific applications. I will apply coverage-based test case generation approaches, i.e., line, branch, and weak mutation coverage for testing numerical programs. Furthermore, for testing applications of supervised machine learning classifiers, I will apply the property-based test case generation technique. My goal is to select a metamorphic relation based test case generation approach for any particular program. To evaluate these proposed techniques, I plan to conduct experiments on complex open-source projects. My preliminary results suggest that coverage-based test cases’ fault detection effectiveness is significantly higher than the randomly generated source test cases. Moreover, random source test cases have little impact on increasing fault detection effectiveness of metamorphic relations while testing supervised classifiers. These motivational results encourage me to do further experiments to approve my claims. Further, I will integrate my approaches to the metamorphic testing tool called ”METTester” to conduct testing on scientific software applications.

Zach Wadhams

Title: Seamless Conversion of SAST Tool Outputs into GitLab Issues for Enhanced Accessibility

In modern software development environments, Static Code Analysis, also known as Static Application Security Testing (SAST) tools, plays a vital role in ensuring the security, reliability, and compliance of software applications. SAST tools analyze the source code during the development phase, enabling early detection of security vulnerabilities. By identifying security flaws at an early stage, developers can address them promptly and minimize the risk of such vulnerabilities making their way into the final product. SAST tools not only focus on security vulnerabilities but also help improve code quality. Zach is developing a tool that takes reports generated by a commonly used SAST tool, SonarQube, and converts them into GitLab issues for developers to examine and work on. This tool leverages both the API’s of SonarQube and GitLab to retrieve and post issue data. The need for such a tool arose from a case when SonarQube’s reports were behind a firewall, and only a few developers had access to these crucial reports. This resulted in extended turnaround times for fixing vulnerabilities. The developed tool will address this problem by putting these outputs in a place that is familiar to developers: the issues section of a GitLab repository. This approach ensures that more developers will see these security reports and, ultimately, will foster a more security-focused development environment.

Dillon Shaffer

Title: Software Development Environment for Resilient Computing Architectures

As MSU’s radiation tolerant computer (RadPC) prepares for launch, Resilient computing prepares to launch a similar commercialized board. The commercial board will work in a variety of industries; from defense, to outer space. This research delves into the development of an eclipse IDE based plugin that will allow users from all industries to interface with the computer. The plug-in will contain knowledge of the device architecture that enables users unfamiliar with the specifics of the hardware to program it with ease using the C language.

Eric O'Donoghue

Title: Analysis of Software Bill of Materials Compliance/Quality and Software Supply Chain Security Quality Using Hierarchical Quality Models

With the reliance on software across industries, ensuring the securityand quality of software components in software supply chains hasbecome a critical concern for software providers. Software Bill ofMaterials (SBOM) is an emerging technology that provides an inventoryof all software components used in a particular application or system.This thesis addresses two facets of SBOM technology: quality ofsoftware bills of materials in their current state and the applicationof SBOMs as a tool for performing security quality analysis onsoftware supply chains.
Our first research goal is to improve software providers ability inassessing both compliance to government standards and quality ofsoftware bills of materials. We accomplished this goal by developingand validating a hierarchical quality model, name tbd, to evaluate thequality of software bills of materials. Our second goal is to improveproviders ability in assessing software supply chain security qualityutilizing SBOM technology. We accomplished this goal by developing andvalidating a hierarchical security quality model,PIQUE-SBOM-SUPPLYCHAIN-SEC, to evaluate the security quality ofthird-party libraries and packages present in software. While thereare existing tools that can be used to measure SBOM quality orsoftware supply chain security, the use of a model is beneficial inboth these cases as it integrates multiple analysis tools to have abetter coverage of quality and security issues, utilizes existingquality standards, improves scoring accuracy via benchmarking a largecorpus of SBOMs, and finally the aggregation of findings upward into abroader quality and security context.

Gerard Shu Fuhnwi

Title: Empirical Anomaly Detection Techniques

Empirical anomaly detection techniques identify outliers or anomalies in a dataset based on observed data patterns and real-world observations. Unlike rule-based approaches that rely on predefined thresholds, empirical techniques analyze the inherent characteristics of the data to distinguish between normal and abnormal instances. These techniques are driven by the data and often leverage statistical, machine learning, or data-driven methodologies to detect anomalies. By leveraging observed information and data-driven methods, these techniques play a crucial role in applications ranging from cybersecurity, fraud detection, industrial systems, and healthcare. However, anomaly detection techniques pose several challenges, such as defining the region or boundary to accept between normal and abnormal instances, getting accurate and representative labels for normal and abnormal instances, defining an anomaly in different application domains, nature of class imbalances between normal and abnormal instances, vast and complex amount of data available in this domain and accurate evaluation metrics. My research focuses on handling imbalanced datasets, interpretability of complex models using statistical testing, and combining multiple detection methods to enhance accuracy and reduce false positives.

Yvette Hastings

Title: Software Engineering for Enhanced Reactive Transport Modeling Software

Modeling software used to evaluate earth science processes are foundational tools used to assess and evaluate changes in the environment. Many earth science modeling software have not been designed by software engineers, which has resulted in software that is lacking in software quality and useability. Because of this, I will be merging the fields of earth science and software engineering to create reactive transport modeling software that meets high software quality standards. This will enhance the earth scientsist user experience and improve environmental monitoring and prediction.

Redempta Manzi

Title: Implementation of Data Science Approaches to Improve the Analysis of Cybersecurity Threats in Software Systems

Today’s growing dependence on technology has not only increased convenience and efficiency but has also created an expanded cybersecurity risk, particularly with software systems. Detecting and quantifying security threats such as vulnerabilities and weaknesses in software systems has been a challenging problem in research. To address this challenge, one approach is to benchmark a system against existing similar systems. Therefore, I am (1) analyzing software static analysis tools results to measure the security of different systems (Binary Files, SBOMs, and Docker Images); (2) investigating theoretical and empirical approaches for integrating static-analysis tool outputs; (3) improving the validity of HSQA models (utility function) to predict the security score of a system under analysis.

Graduated Students:

Pearsall, R. "An Evaluation of Graph Representations of Programs for Malware Detection and Categorization using Graph-Based Machine Learning Methods." August 2023
Rehman, F. "Improving the confidence of machine learning models through improved software testing approaches." December 2022
McCartney, S. "A Framework to Assess Bug-Bounty Platforms based on Potential Attack Vectors." December 2022
Rehman F. "Improving the Confidence of Machine Learning Models Through Improved Software Testing.Approaches,: December 2022
Harrison P. "Analyzing The Security Of C# Source Code Using A Hierarchical Quality Model,: May 2022.
Griffith I. "Design Pattern Decay -A Study of Design Pattern Grime and its Impact on Quality and Technical Debt,: December 2021
Johnson A. "The Analysis of Binary File Security Using A Hierarchical Quali!)' Model,􀀲 December 2021
Rice D. "An Extensible Hierarchical Architecture for Analysis of Software Quali!)' Assurance," December 2020
King H.K. "Informing the Construction of Narrative-Based Risk Communication.􀀿 November 2019
Reimanis D.K. "The Identification, Characterization, and Evaluation of Model-Based Behavioral Decay in Design Patterns." August 2019
Smith K. "Exgloratory Study on the Effectiveness of Ty􀁍 Level Complexi!)' Metrics,􀁎 April 2018
Luhr R. "The Application of Technical Debt Mitigation Techniques to a Multidisciplin!!!)'. software Project. April 2015
Griffith I. "Technical Debt Management in Release Planning -A Decision Support Framework,: August 2014
Dale M. "Impacts of Modular Grime on Technical Debt,: April 2014
Schanz T. "A Taxonomy of Modular Grime in Design Patterns,: April 2011

Sponsored Research

Department of Homeland Security

Construction Engineer Research Lab (CERL)

Resilient Computing

Hoplite Industries

WolfSSL

Department of Homeland Security/Idaho National Labs

Research Experiences for Undergraduates (REU)

Raytheon

Northwest Virtual Institute for Cybersecurity Education and Research (CySER)

Blackthorne