The Practical and Actionable Software Engineering Research (PASER) group at Auburn University is currently pursuing the following research projects.

eSLIC: Enhanced Security Static Analysis for Configuration Scripts

Abstract

The project will focus on the development of techniques and tools that will automatically detect security weaknesses in configuration scripts developed using a wide range of languages heavily used in industry. Three main tasks will be investigated for this project. First, qualitative analysis is applied in order to determine a comprehensive list of security weaknesses for multiple configuration script languages, and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and machine learning techniques are applied, evaluated, and integrated into the derived static analysis so that false positives are reduced. Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses. Along with the three technical tasks, industry panels will be organized, where practitioners from industry will give feedback on the developed techniques and tools. Findings from the project will be disseminated to government, industry and open source practitioners, as well as to students who are learning about configuration management in graduate and undergraduate level courses related to cybersecurity.

Relevant Peer-reviewed Publications

Datasets and Software

Funding Source

Resilient Container Orchestration

Abstract

Container technologies, such as Docker and LXC are gaining popularity amongst information technology (IT) organizations for deploying software applications. For example, PayPal uses 200,000 containers to manage 700 software applications. For managing these containers at scale, practitioners often use automated container orchestration, i.e, the practice of pragmatically managing the lifecycle of containers with tools, such as Docker Swarm and Kubernetes. As part of this project we are investigating how to help practitioners for resilient container orchestration. As part of this project, we will accomplish three tasks: (i) detecting and repairing security misconfigurations that occur in configuration files used for container orchestration; (ii) build the science of routing-related defects; and (iii) construct education modules to help next generation practitioners in secure and resilient container orchestration.

Relevant Peer-reviewed Publications

Datasets and Software

Funding Source

NSF CORE:SHF: Award - 2312321

Secure Development of Machine Learning Projects

Abstract

The ubiquitous use of machine learning necessitates to make the development process secure. In this project we are exploring so strategies used to secure the development process for traditional software engineering can also be integrated in machine learning development. In particular, we are investigating (i) how to perform logging to diagnose adversarial machine learning attacks and formally verify security specifications in machine learning implementations, (ii) common security weaknesses in machine learning source code, and (iii) identifying testing best practices for automating machine learning deployments.

Relevant Peer-reviewed Publications

Datasets and Software

Funding Source

NSF SaTC: Award - 2310179