SOFTWARE VULNERABILITY DETECTION AND REMEDIATION

Project Summary: 

Cyber attackers are growing in sophistication and the ability to penetrate information systems by exploiting vulnerabilities in software.  BA joined a long list of successful attacks, with 380K customers having their account (and payment) details stolen from BA's booking system.  Ticketmaster was another victim, again their payment system was breached by attackers with 40K users having their details stolen.  From a business perspective, there is a need to verify a fast-growing code base against security risks. UK cybersecurity states “We want boards, customers and investors to be thinking about cybersecurity issues when they make purchasing or investment decisions.” (UKCabinet, 2014). These recent events do not support the idea that security is improving.  Security requirements can take second place to new feature development. There is a need to balance, high-value new feature development with maintenance that removes potentially high-cost vulnerabilities.

In this research, we seek to address Software Assurance issues by modelling security requirements in the problem space (e.g., assets, threats) versus security risks in the solution space (e.g., attacks, mitigations), which typically require heavy human involvement to make the right trade-offs. Misuse cases, abuse frames, anti-goals, attack scenarios, etc. have been proposed from different abstraction levels to elicit such security and privacy arguments.  However, the gap between these models and the reality of software development is exacerbated by the lack of traceability and accountability between the models and the implementations.

Therefore, we propose to unify 'problem space' and 'solutions space' by using Machine Learning and software refactoring to develop a model that links the secure design aspirations to the solution design and thereby establishing a mapping between the problem space and space to identify weaknesses and vulnerabilities that need to be addressed before deployment.

The project will consist of three parts:

1)     Develop a machine learning method that can identify security vulnerabilities within open source software.

2)     Identify key indicators that would drive a refactoring solution that targets security issues.

3)     Create a proof of concept that uses both 1) and 2) to improve the security profile of software applications.

 

Objectives:

1)     Develop a Machine learning method to analyse open source software.

2)     Identify and rank features that are indicators of weak or vulnerable software.

3)     Map these features to software design patterns that will improve the security profile of the application.

4)     Implement a framework that demonstrates a proof of concept showing an improvement in the security profile of software applications.

5)     The experimental work will be academically rigorous, which be evident through high-quality publications.

 

Academic Requirements:

Students entering the programme will normally be required to have a 2.1 BSc/BEng in Computer Science, Electrical and Electronic Engineering, or a maths based engineering or physical science degree, or equivalent qualification recognised by the University. Students holding an appropriate MEng or MSc (Software conversion) will normally be required to have a 2.1 or commendation (distinction) respectively. Furthermore, additional criteria may be applied. All applicants must have significant mathematical and programming experience.

 

General Information: 

This 4 year PhD studentship, potentially funded by the Department for Employment and Learning (DEL), commences on 1 October 2019.

Eligibility for both fees and maintenance depends on the applicants being either an ordinary UK resident or those EU residents who have lived permanently in the UK for the 3 years immediately preceding the start of the studentship. Non UK residents who hold EU residency may also apply but if successful may receive fees only.

Applicants should apply electronically through the Queen’s online application portal at: https://dap.qub.ac.uk/portal/

Further information available at:  http://www.qub.ac.uk/schools/eeecs/StudyattheSchool/PhDProgrammes

 

Contact Details:

Supervisor Name: Dr Philip O’Kane                                                          

Tel: +44 (0)28 9097                                                                            

Email:  p.okane@qub.ac.uk