Automation for greater software security

As information technology connects people in ever more elaborate ways, says Gang Tan, the variety, and the backlog, of software programs that require protection from hackers, bugs and coding errors is growing rapidly.

While online businesses need to identify malicious requests, corporations strive to guard intellectual property. Nonprofits must assure their patrons, and governments their citizens, that private data will remain private. And the operating systems that run laptops, tablets and smartphones require security improvements when they are upgraded or add a new app.

Tan, an assistant professor of computer science and engineering, and his collaborators are designing a system that will retrofit existing software to provide what they call “defense-in-depth” protection.

The group, which also includes researchers from Pennsylvania State University, the University of Vermont and Rutgers University, recently received a four-year, $1.2 million grant from NSF.

Tan says the group is designing a system that helps operators determine what data in a software program or system needs protection, and which entities should have access to that data. Then it inserts security checks to perform authorization and to authenticate users for privileges.

“As long as the security policy for software stays the same during an upgrade or when features are added,” says Tan, “our system can produce security checks to enforce the policy. At every point on the way, from the creation of an app to an add-on or upgrade, our system can add these checks according to an existing policy.”

Three layers of “defense-in-depth”

Typically, says Tan, software developers write security codes to prevent unauthorized access to critical data. But this is usually done manually, and the process is error-prone, time-consuming and not scalable. As a result, unauthorized users can gain access to restricted data. And the security checks need to be updated each time the operating system or critical software on a device is upgraded or adds a new functionality or feature.

“We want to automate this process,” says Tan, “and add three layers of defense-in-depth to software.”

Those layers are:

* Authorization—restricting access to sensitive data to authorized users and authenticating those users;

* Containment—limiting the damage caused by security breaches;

* Auditing—monitoring software as it is operating so that developers can be informed of the need for additional defenses.

To make its system “holistic” and interactive, says Tan, the group is creating synergies among the three layers of protection and designing its system to automatically add security checks to the security policies of existing software.

“Our system can add multiple layers of protection according to the security policy,” he says. “It can handle upgrades without user involvement, and it will explore the interaction among these layers to achieve greater efficiency and security.”

To contain damage once software has been breached, the system designed by Tan’s group assigns separate security checks to separate components of the system. That way, even if one component of the software has been compromised, the other components can continue to function. This technique, called the principle of least privilege, breaks software into small modules, each of which needs minimal privilege, or access to data and administrative authority, to do its job.

“The first two layers of our system can be considered proactive,” says Tan. “They seek to prevent further damage. The third layer is retrospective, or defensive. It enables us to collect enough security-related data while software is running so that we can retrospectively do a forensic analysis to determine what happened and what the best course of action is.”

Tan acknowledges that some experts recommend redesigning existing software to improve its security.

“This might produce better software in terms of security,” he says, “but it is potentially very expensive and time-consuming. Because so many software systems have been designed without enough attention to security, we believe it’s better to retrofit existing systems with better security checks. There’s clearly a need for this.”

Tan, who directs Lehigh’s Security of Software (SOS) Lab, has spent nearly 15 years studying software security. In 2012, he received a CAREER Award from NSF. His research has also been supported by the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency.

The group of researchers was invited recently to present the results of their research to the annual Layered Assurance Workshop in New Orleans.