Research
Sponsored Research
Department of Homeland Security
The HSQA project addresses three areas that align with DHS S&T long term strategies:
- Measure source code quality and maturity of ICS and cloud based software
- Composition, stylometry and origination of software
- Identify secured and sensitive sections of source code
Construction Engineer Research Lab (CERL)
We work with the TSEAL team at TechLink to test software components as well as provide support for measuring the quality assurance of these software components.
Resilient Computing
We collaborate with this MSU-spin out on the commercialization of edge computing technologies that are used in space and in our nation’s critical infrastructure.
Hoplite Industries
We collaborate with MSU's Software Engineering and Cybersecurity Laboratory by providing access to resources, training and providing internships to ROTC cadets through our CySER grant in collaboration with Griffiss Institute and Washington State University.
WolfSSL
We are working with MSU to help test the neXtECU controllers to increase cybersecurity protection.
Department of Homeland Security/Idaho National Labs
We have developed a framework that allows managers to make informed decisions and gives developers more visibility into code vulnerabilities.
Research Experiences for Undergraduates (REU)
The REU summer program provides an opportunity for students from around the country to come to MSU for an immersive summer learning experience.
Raytheon
Building on MSU’s prior research on building fault-tolerant computers for NASA, we design hardware diversity to make flight computers resilient to cyber-attacks.
Northwest Virtual Institute for Cybersecurity Education and Research (CySER)
As part of this inter-institution program, ROTC cadets at MSU participate in a baseline cybersecurity class their first semester and carry out a senior capstone project.
Blackthorne
Blackthorne Consulting is working with SECL to investigate new digital forensics techniques.
NASA
NASA is working with SECL to investigate intrusion-tolerant space computing technologies.
Student Projects
Grant Nelson
Title: Class Participation in Functions for Technical Debt Analysis of Procedural and Object Oriented Languages
Grant Nelson is researching programmatic Technical Debt analysis, focusing on analysis of procedural languages. During analysis of patterns and anti-patterns in object oriented languages, the membership of methods in classes is used as a metric. Procedural languages do not always specify a membership between functions and structures. Grant is looking into using the variable types of a function's arguments and the arguments' usage inside of the functions to determine a participation score. The participation score is a probability that a function may belong to a structure. If a participation score can be determined such that it can be used in place of the membership metric, then current pattern and anti-pattern analysis can be performed on procedural languages.
Karishma Rahman
Title: Metamorphic Testing for Web Application
Abstract: Software testing is a process that evaluates the software’s functionality by revealing its faults. The testing process can often be complicated and expensive for complex scientific applications. Automation of software testing, which automates parts of the testing process, is thus a practical solution and can make software development much more efficient and cost-effective. Various techniques are also being used to address the oracle problem in security testing, of which, Metamorphic Testing (MT) is one. My research focuses on applying Metamorphic Testing to detect vulnerabilities in web applications.
Zach Wadhams
Title: Seamless Conversion of SAST Tool Outputs into GitLab Issues for Enhanced Accessibility
In modern software development environments, Static Code Analysis, also known as Static Application Security Testing (SAST) tools, plays a vital role in ensuring the security, reliability, and compliance of software applications. SAST tools analyze the source code during the development phase, enabling early detection of security vulnerabilities. By identifying security flaws at an early stage, developers can address them promptly and minimize the risk of such vulnerabilities making their way into the final product. SAST tools not only focus on security vulnerabilities but also help improve code quality. Zach is developing a tool that takes reports generated by a commonly used SAST tool, SonarQube, and converts them into GitLab issues for developers to examine and work on. This tool leverages both the API’s of SonarQube and GitLab to retrieve and post issue data. The need for such a tool arose from a case when SonarQube’s reports were behind a firewall, and only a few developers had access to these crucial reports. This resulted in extended turnaround times for fixing vulnerabilities. The developed tool will address this problem by putting these outputs in a place that is familiar to developers: the issues section of a GitLab repository. This approach ensures that more developers will see these security reports and, ultimately, will foster a more security-focused development environment.
Dillon Shaffer
Title: Software Development Environment for Resilient Computing Architectures
As MSU’s radiation tolerant computer (RadPC) prepares for launch, Resilient computing prepares to launch a similar commercialized board. The commercial board will work in a variety of industries; from defense, to outer space. This research delves into the development of an eclipse IDE based plugin that will allow users from all industries to interface with the computer. The plug-in will contain knowledge of the device architecture that enables users unfamiliar with the specifics of the hardware to program it with ease using the C language.
Eric O'Donoghue
Title: Analysis of Software Bill of Materials Compliance/Quality and Software Supply Chain Security Quality Using Hierarchical Quality Models
With the reliance on software across industries, ensuring the securityand quality of software components in software supply chains hasbecome a critical concern for software providers. Software Bill ofMaterials (SBOM) is an emerging technology that provides an inventoryof all software components used in a particular application or system.This thesis addresses two facets of SBOM technology: quality ofsoftware bills of materials in their current state and the applicationof SBOMs as a tool for performing security quality analysis onsoftware supply chains.
Our first research goal is to improve software providers ability inassessing both compliance to government standards and quality ofsoftware bills of materials. We accomplished this goal by developingand validating a hierarchical quality model, name tbd, to evaluate thequality of software bills of materials. Our second goal is to improveproviders ability in assessing software supply chain security qualityutilizing SBOM technology. We accomplished this goal by developing andvalidating a hierarchical security quality model,PIQUE-SBOM-SUPPLYCHAIN-SEC, to evaluate the security quality ofthird-party libraries and packages present in software. While thereare existing tools that can be used to measure SBOM quality orsoftware supply chain security, the use of a model is beneficial inboth these cases as it integrates multiple analysis tools to have abetter coverage of quality and security issues, utilizes existingquality standards, improves scoring accuracy via benchmarking a largecorpus of SBOMs, and finally the aggregation of findings upward into abroader quality and security context.
Gerard Shu Fuhnwi
Title: Empirical Anomaly Detection Techniques
Empirical anomaly detection techniques identify outliers or anomalies in a dataset based on observed data patterns and real-world observations. Unlike rule-based approaches that rely on predefined thresholds, empirical techniques analyze the inherent characteristics of the data to distinguish between normal and abnormal instances. These techniques are driven by the data and often leverage statistical, machine learning, or data-driven methodologies to detect anomalies. By leveraging observed information and data-driven methods, these techniques play a crucial role in applications ranging from cybersecurity, fraud detection, industrial systems, and healthcare. However, anomaly detection techniques pose several challenges, such as defining the region or boundary to accept between normal and abnormal instances, getting accurate and representative labels for normal and abnormal instances, defining an anomaly in different application domains, nature of class imbalances between normal and abnormal instances, vast and complex amount of data available in this domain and accurate evaluation metrics. My research focuses on handling imbalanced datasets, interpretability of complex models using statistical testing, and combining multiple detection methods to enhance accuracy and reduce false positives.
Yvette Hastings
Title: Software Engineering for Enhanced Reactive Transport Modeling Software
Modeling software used to evaluate earth science processes are foundational tools used to assess and evaluate changes in the environment. Many earth science modeling software have not been designed by software engineers, which has resulted in software that is lacking in software quality and useability. Because of this, I will be merging the fields of earth science and software engineering to create reactive transport modeling software that meets high software quality standards. This will enhance the earth scientsist user experience and improve environmental monitoring and prediction.
Redempta Manzi
Title: Implementation of Data Science Approaches to Improve the Analysis of Cybersecurity Threats in Software Systems
Today’s growing dependence on technology has not only increased convenience and efficiency but has also created an expanded cybersecurity risk, particularly with software systems. Detecting and quantifying security threats such as vulnerabilities and weaknesses in software systems has been a challenging problem in research. To address this challenge, one approach is to benchmark a system against existing similar systems. Therefore, I am (1) analyzing software static analysis tools results to measure the security of different systems (Binary Files, SBOMs, and Docker Images); (2) investigating theoretical and empirical approaches for integrating static-analysis tool outputs; (3) improving the validity of HSQA models (utility function) to predict the security score of a system under analysis.
Ernesto Ortiz
Title: Automating Security Control Compliance with OSCAL
Federal law requires that the network and information systems of entities that manage the federal government's data comply with some baseline security controls.The process for proving that an entity has complied with the required controls involves the production and evaluation of massive documents known as System Security Plans. The National Institute of Standards and Technology has created OSCAL, Open Security Controls Assessment Language. OSCAL aims to automate the transmission and evaluation of security compliance documents. It does this by standardizing allowed formats, syntax, keys, and values within documents, and by enabling cross references across documents. My research aims to develop the functionality that will allow users to express through OSCAL security compliance information for systems deployed in the cloud.
Brittany Boles
Title: Static Analysis Tools: When and How to Compare Them
Static Analysis Tools (SATs) are used by developers to discover what vulnerabilities are present in their source code. Having source code that is secure, and high quality has never been more important. This has led to the creation of many static analysis tools, and many new versions of those tools. Deciding which tools/combination of tools best fits our needs can be confusing and is a current point of interest for many researchers. In this research we take a deeper look into the tools Grype and Trivy and their capabilities of analyzing docker images. We emphasize the importances of how the tools use different vulnerability databases and how that changes the meaning of their results. We will be using a database of Docker Images with known vulnerabilities to create a ground truth to measure each tool's accuracy. Our study will aim to answer what the tools capabilities are, and hopes to shed light on what challenges tool vendors are facing. This will assist both developers in decision making and tool vendors with ideas of possible improvements.
Madie Munro
Title: Computationally Enhanced Risk Communication for Insider Threats
Insider threats have become the costliest type of organizational cyber-attacks, both human and financial. Two main types of insiders are malicious, where someone attacks organizational data from the inside intentionally, and inadvertent, where someone compromises organizational data due to negligence or poor cybersecure behavior. Risk communication would best inform, warn, and guide individuals towards cyber risk mitigation behavior and changes in insider risk perceptions. Effective risk communication bridges risk perception gaps between hazard domain experts and affected individuals. Additionally, timely deployment of risk messages is imperative when warning affected groups of specific hazards, particularly insider threats. To ensure messages are developed efficiently and effectively, I plan to investigate, implement, and assess computational methods which enhance risk communication on insider threats. Specifically, I plan to operationalize theoretical frameworks for risk communication using advanced computational tools to inform the construction, validation, and testing of risk messages. Frameworks analyzed include the Narrative Policy Framework or Protection Motivation Theory; computational tools leveraged include Natural Language Processing and Large Language Models. The end goal is to assess whether such computational tools improve efficiency and efficacy of risk message development, and if targeting narrative transportation or fear-appeal motivates individuals towards protective action against insider threats. This research supplemental to on-going development of the Domain Agnostic Risk Communication Framework developed by Dr. Ann Marie Reinhold at Montana State University. Furthermore, I am collaborating with researchers at the Virginia Modeling, Analysis and Simulation Center (VMASC) located at Old Dominion University to investigate personalized risk communication efficacy.
Christine Johnson
Title: Implementation of a RISC-V FPGA Based Verification Tool for Process Control Systems
A current threat to process control systems are control logic corruption attacks, in which an attacker aims to modify the firmware of the controller within the system. This thesis aims to develop a lightweight and generalized solution against control logic corruption attacks, implemented as a verification tool on a RISC-V architecture based FPGA. The verification tool may verify proper logic flow of the plant system, monitoring abnormal changes in controller inputs/outputs. The tool may also validate incoming firmware updates to the controller from the engineering station as well. The system under attack will be a process control system which controls a battery’s state of charge. In this system, it will be assumed the attacker has access to the controller and engineering station communication channel. The verification tool shall be generalized to be employed for various process control systems.
Jasmine Vang
Title: Northwest Virtual Institute for Cybersecurity Education and Research (CySER)
Jasmine is assisting Air Force ROTC cadets participating in the CySER program, which is a collaborative inter-institutional initiative aimed at educating students, regardless of their computer science background, about cyber-security. Cadets engage in a foundational cyber-security course during their initial semester while concurrently planning their senior capstone projects. These capstone projects are required to include a cyber-security component. Jasmine plays a vital role in this project by instructing and leading discussions throughout the fall cyber class and by mentoring the cadets as they navigate the cyber-security aspects of their capstone projects.
Angelo Porcella
Title: Hierarchical Assessment of Malware Sophistication
Determining the sophistication of malware is critical for understanding the threats posed by advanced adversaries. In partnership with experts at Sandia National Laboratory, this research is aimed at measuring the sophistication of a diverse set of malware samples using quality assurance theory and practices as a framework.
Graduated Students:
-
Saha, P. "Improving The Effectiveness Of Metamorphic Testing Using Systematic Test Case Generation," March 2024
-
Pearsall, R. "An Evaluation of Graph Representation of Programs for Malware Detection and Categorization Using Graph-Based Machine Learning Methods," August 2023
-
McCartney, S. "A Framework to Assess Bug-Bounty Platforms based on Potential Attack Vectors," December 2022
-
Rehman F. "Improving the Confidence of Machine Learning Models Through Improved Software Testing Approaches," December 2022
-
Harrison P. "Analyzing The Security Of C# Source Code Using A Hierarchical Quality Model," May 2022
-
Griffith I. "Design Pattern Decay -A Study of Design Pattern Grime and its Impact on Quality and Technical Debt," December 2021
-
Johnson A. "The Analysis of Binary File Security Using A Hierarchical Quality Model," December 2021
-
Rice D. "An Extensible Hierarchical Architecture for Analysis of Software Quality Assurance," December 2020
-
King H.K. "Informing the Construction of Narrative-Based Risk Communication," November 2019
-
Reimanis D.K. "The Identification, Characterization, and Evaluation of Model-Based Behavioral Decay in Design Patterns." August 2019
-
Smith K. "Exploratory Study on the Effectiveness of Type Level Complexity Metrics," April 2018
-
Luhr R. "The Application of Technical Debt Mitigation Techniques to a Multidisciplinary software Project," April 2015
-
Griffith I. "Technical Debt Management in Release Planning - A Decision Support Framework," August 2014
- Dale M. "Impacts of Modular Grime on Technical Debt," April 2014
- Schanz T. "A Taxonomy of Modular Grime in Design Patterns," April 2011