Department of Homeland Security
The HSQA project addresses three areas that align with DHS S&T long term strategies:
- Measure source code quality and maturity of ICS and cloud based software
- Composition, stylometry and origination of software
- Identify secured and sensitive sections of source code
Construction Engineer Research Lab (CERL)
We work with the TSEAL team at TechLink to test software components as well as provide support for measuring the quality assurance of these software components.
We collaborate with this MSU-spin out on the commercialization of edge computing technologies that are used in space and in our nation’s critical infrastructure.
We collaborate with MSU's Software Engineering and Cybersecurity Laboratory by providing access to resources, training and providing internships to ROTC cadets through our CySER grant in collaboration with Griffiss Institute and Washington State University.
We are working with MSU to help test the neXtECU controllers to increase cybersecurity protection.
Department of Homeland Security/Idaho National Labs
We have developed a framework that allows managers to make informed decisions and gives developers more visibility into code vulnerabilities.
Research Experiences for Undergraduates (REU)
The REU summer program provides an opportunity for students from around the country to come to MSU for an immersive summer learning experience.
Building on MSU’s prior research on building fault-tolerant computers for NASA, we design hardware diversity to make flight computers resilient to cyber-attacks.
Northwest Virtual Institute for Cybersecurity Education and Research (CySER)
As part of this inter-institution program, ROTC cadets at MSU participate in a baseline cybersecurity class their first semester and carry out a senior capstone project.
Blackthorne Consulting is working with SECL to investigate new digital forensics techniques.
Title: Class Participation in Functions for Technical Debt Analysis of Procedural and Object Oriented Languages
Grant Nelson is researching programmatic Technical Debt analysis, focusing on analysis of procedural languages. During analysis of patterns and anti-patterns in object oriented languages, the membership of methods in classes is used as a metric. Procedural languages do not always specify a membership between functions and structures. Grant is looking into using the variable types of a function's arguments and the arguments' usage inside of the functions to determine a participation score. The participation score is a probability that a function may belong to a structure. If a participation score can be determined such that it can be used in place of the membership metric, then current pattern and anti-pattern analysis can be performed on procedural languages.
Title: Metamorphic Testing for Web Application
Abstract: Software testing is a process that evaluates the software’s functionality by revealing its faults. The testing process can often be complicated and expensive for complex scientific applications. Automation of software testing, which automates parts of the testing process, is thus a practical solution and can make software development much more efficient and cost-effective. Various techniques are also being used to address the oracle problem in security testing, of which, Metamorphic Testing (MT) is one. My research focuses on applying Metamorphic Testing to detect vulnerabilities in web applications.
Title: Improving The Effectiveness Of Metamorphic Testing Using Systematic Test Case Generation
Metamorphic testing is a well-known approach to tackle the oracle problem in software testing. This technique requires source test cases that serve as seeds for the generation of follow-up test cases. Systematic design of test cases is crucial for the test quality. Thus, source test case generation strategy can make a big impact on the fault detection effectiveness of metamorphic testing. Most of the previous studies on metamorphic testing have used either random test data or existing test cases as source test cases. There has been limited research done on systematic source test case generation for metamorphic testing. In my current research, I propose two different source test case generation techniques for testing scientific applications. I will apply coverage-based test case generation approaches, i.e., line, branch, and weak mutation coverage for testing numerical programs. Furthermore, for testing applications of supervised machine learning classifiers, I will apply the property-based test case generation technique. My goal is to select a metamorphic relation based test case generation approach for any particular program. To evaluate these proposed techniques, I plan to conduct experiments on complex open-source projects. My preliminary results suggest that coverage-based test cases’ fault detection effectiveness is significantly higher than the randomly generated source test cases. Moreover, random source test cases have little impact on increasing fault detection effectiveness of metamorphic relations while testing supervised classifiers. These motivational results encourage me to do further experiments to approve my claims. Further, I will integrate my approaches to the metamorphic testing tool called ”METTester” to conduct testing on scientific software applications.
Title: Seamless Conversion of SAST Tool Outputs into GitLab Issues for Enhanced Accessibility
In modern software development environments, Static Code Analysis, also known as Static Application Security Testing (SAST) tools, plays a vital role in ensuring the security, reliability, and compliance of software applications. SAST tools analyze the source code during the development phase, enabling early detection of security vulnerabilities. By identifying security flaws at an early stage, developers can address them promptly and minimize the risk of such vulnerabilities making their way into the final product. SAST tools not only focus on security vulnerabilities but also help improve code quality. Zach is developing a tool that takes reports generated by a commonly used SAST tool, SonarQube, and converts them into GitLab issues for developers to examine and work on. This tool leverages both the API’s of SonarQube and GitLab to retrieve and post issue data. The need for such a tool arose from a case when SonarQube’s reports were behind a firewall, and only a few developers had access to these crucial reports. This resulted in extended turnaround times for fixing vulnerabilities. The developed tool will address this problem by putting these outputs in a place that is familiar to developers: the issues section of a GitLab repository. This approach ensures that more developers will see these security reports and, ultimately, will foster a more security-focused development environment.
Title: Software Development Environment for Resilient Computing Architectures
As MSU’s radiation tolerant computer (RadPC) prepares for launch, Resilient computing prepares to launch a similar commercialized board. The commercial board will work in a variety of industries; from defense, to outer space. This research delves into the development of an eclipse IDE based plugin that will allow users from all industries to interface with the computer. The plug-in will contain knowledge of the device architecture that enables users unfamiliar with the specifics of the hardware to program it with ease using the C language.
Title: Analysis of Software Bill of Materials Compliance/Quality and Software Supply Chain Security Quality Using Hierarchical Quality Models
With the reliance on software across industries, ensuring the securityand quality of software components in software supply chains hasbecome a critical concern for software providers. Software Bill ofMaterials (SBOM) is an emerging technology that provides an inventoryof all software components used in a particular application or system.This thesis addresses two facets of SBOM technology: quality ofsoftware bills of materials in their current state and the applicationof SBOMs as a tool for performing security quality analysis onsoftware supply chains.
Our first research goal is to improve software providers ability inassessing both compliance to government standards and quality ofsoftware bills of materials. We accomplished this goal by developingand validating a hierarchical quality model, name tbd, to evaluate thequality of software bills of materials. Our second goal is to improveproviders ability in assessing software supply chain security qualityutilizing SBOM technology. We accomplished this goal by developing andvalidating a hierarchical security quality model,PIQUE-SBOM-SUPPLYCHAIN-SEC, to evaluate the security quality ofthird-party libraries and packages present in software. While thereare existing tools that can be used to measure SBOM quality orsoftware supply chain security, the use of a model is beneficial inboth these cases as it integrates multiple analysis tools to have abetter coverage of quality and security issues, utilizes existingquality standards, improves scoring accuracy via benchmarking a largecorpus of SBOMs, and finally the aggregation of findings upward into abroader quality and security context.
Gerard Shu Fuhnwi
Title: Empirical Anomaly Detection Techniques
Empirical anomaly detection techniques identify outliers or anomalies in a dataset based on observed data patterns and real-world observations. Unlike rule-based approaches that rely on predefined thresholds, empirical techniques analyze the inherent characteristics of the data to distinguish between normal and abnormal instances. These techniques are driven by the data and often leverage statistical, machine learning, or data-driven methodologies to detect anomalies. By leveraging observed information and data-driven methods, these techniques play a crucial role in applications ranging from cybersecurity, fraud detection, industrial systems, and healthcare. However, anomaly detection techniques pose several challenges, such as defining the region or boundary to accept between normal and abnormal instances, getting accurate and representative labels for normal and abnormal instances, defining an anomaly in different application domains, nature of class imbalances between normal and abnormal instances, vast and complex amount of data available in this domain and accurate evaluation metrics. My research focuses on handling imbalanced datasets, interpretability of complex models using statistical testing, and combining multiple detection methods to enhance accuracy and reduce false positives.
Title: Software Engineering for Enhanced Reactive Transport Modeling Software
Modeling software used to evaluate earth science processes are foundational tools used to assess and evaluate changes in the environment. Many earth science modeling software have not been designed by software engineers, which has resulted in software that is lacking in software quality and useability. Because of this, I will be merging the fields of earth science and software engineering to create reactive transport modeling software that meets high software quality standards. This will enhance the earth scientsist user experience and improve environmental monitoring and prediction.
Title: Implementation of Data Science Approaches to Improve the Analysis of Cybersecurity Threats in Software Systems
Today’s growing dependence on technology has not only increased convenience and efficiency but has also created an expanded cybersecurity risk, particularly with software systems. Detecting and quantifying security threats such as vulnerabilities and weaknesses in software systems has been a challenging problem in research. To address this challenge, one approach is to benchmark a system against existing similar systems. Therefore, I am (1) analyzing software static analysis tools results to measure the security of different systems (Binary Files, SBOMs, and Docker Images); (2) investigating theoretical and empirical approaches for integrating static-analysis tool outputs; (3) improving the validity of HSQA models (utility function) to predict the security score of a system under analysis.
- Pearsall, R. "An Evaluation of Graph Representations of Programs for Malware Detection and Categorization using Graph-Based Machine Learning Methods." August 2023
- Rehman, F. "Improving the confidence of machine learning models through improved software testing approaches." December 2022
- McCartney, S. "A Framework to Assess Bug-Bounty Platforms based on Potential Attack Vectors." December 2022
- Rehman F. "Improving the Confidence of Machine Learning Models Through Improved Software Testing.Approaches,: December 2022
- Harrison P. "Analyzing The Security Of C# Source Code Using A Hierarchical Quality Model,: May 2022.
- Griffith I. "Design Pattern Decay -A Study of Design Pattern Grime and its Impact on Quality and Technical Debt,: December 2021
- Johnson A. "The Analysis of Binary File Security Using A Hierarchical Quali!)' Model, December 2021
- Rice D. "An Extensible Hierarchical Architecture for Analysis of Software Quali!)' Assurance," December 2020
- King H.K. "Informing the Construction of Narrative-Based Risk Communication. November 2019
- Reimanis D.K. "The Identification, Characterization, and Evaluation of Model-Based Behavioral Decay in Design Patterns." August 2019
- Smith K. "Exgloratory Study on the Effectiveness of Ty Level Complexi!)' Metrics, April 2018
- Luhr R. "The Application of Technical Debt Mitigation Techniques to a Multidisciplin!!!)'. software Project. April 2015
- Griffith I. "Technical Debt Management in Release Planning -A Decision Support Framework,: August 2014
- Dale M. "Impacts of Modular Grime on Technical Debt,: April 2014
- Schanz T. "A Taxonomy of Modular Grime in Design Patterns,: April 2011