SDCI Sec New: In-Depth Vulnerability Assessment of Middleware
University Of Wisconsin-Madison, Madison WI
Investigators
Abstract
This research establishes MIST, the MIddleware Security and Testing facility, to identify security vulnerabilities in middleware, which include e-commerce systems, supercomputers, and scientific and commercial networks. The researchers are identifying limitations in current abilities to identify and remediate vulnerabilities in the middleware. The limitations include assessment techniques that provide insufficient focus on critical vulnerabilities and are subject to high false-positives, tools that provide limited abilities to find serious vulnerabilities, little or no formal characterization of vulnerabilities, lack of trained security analysts to perform vulnerability assessment, scarcity of curricula, both in academia and professional training, for training security analysts, scarcity of training in software engineering and design techniques for secure systems, and lack of independent vulnerability assessment activities in middleware software development. The researchers are developing first principles based vulnerability assessment (FPVA) that starts with architectural and resource analysis of the software, identifying high-value assets, and then derives threats based on how the assets are used. This research includes new and extended algorithms and techniques for tools to help improve the automation of this task, and new software engineering and coding techniques for developing secure systems. Results from their FPVA assessment activities are used to develop formal characterizations of these hard-to-discover vulnerabilities and, from these characterizations, develop algorithms for detecting these vulnerabilities. From algorithms, they are developing new automated tools for detection. The tools take the form of plug-ins to existing tools (to reduce unnecessary effort and time-to-deployment). This project expands the skills software developers by developing training materials in the form of tutorials, short courses, and a new undergraduate course in vulnerability assessment and secure coding practices.
View original record on NSF Award Search →