SoSL @ NC State

SoSL Projects 2014-2017

The following projects were funded during the Lablet’s second phase of funding (2014-2017).

Metrics Hard Problem Projects

Team Captain: Andy Meneely

We take security to be a composite property comprising confidentiality, integrity, and availability properties. Many aspects of confidentiality, integrity, and availability must be measured and combined to get an overall picture of a system’s security posture. Security metrics should best demonstrate causality, and be quantifiable, feasible, repeatable, objective, and validated. We will identify key existing security metrics and needs for new security metrics. We will develop measurement scales and methods for taking measurements. In addition, we will validate metrics for descriptive and predictive power in relation to security properties. This work will produce empirically validated theoretical constructs to better enable scientific and engineering communities to develop and test fundamental laws of security. Security metrics and analytics involving these metrics underlie the scientific progress and evaluation of all hard problems.

Humans Hard Problem Projects

Team Captain: Emerson Murphy-Hill

Humans are a crucial to any security ecosystem. A complete and effective SoS presupposes deep and fundamental theories of human behavior as it relates to system security. To attack this problem, we can divide humans into three main types: users, adversaries, and developers. We willstudy these three types of users; develop evidence-based models of human perception, decision making, and behavior; test the validity of these models and iteratively improve them; and finally show that these theoretical models have predictive power that can inform the design and evolution of secure systems with humans in the loop.

Policy Hard Problem Projects

Team Captain: Munindar Singh

We will develop a science of policies and their relationships to human behavior with a view toward uncovering principles that underlie and support effective and rigorous means for constructing and maintaining long-lived secure collaborations among two or more parties. A distinguishing feature of our envisioned approach is the study of policies in relation to high-level objectives, specifically, norms, i.e., standards of correct and secure behavior. Our overarching objective is to develop the principles underlying the specification, evaluation, revision, computation, complexity, and comprehensibility of norms and policies to achieve secure collaboration in diverse collaboration contexts. These principles will enable uses of norms and policies that improve (1) robustness, liveness, and resilience of policy-guided systems; (2) modeling, analysis, and enactment of secure behaviors; and (3) comprehensibility and effectiveness in applications.

Resilience Hard Problem Projects

Team Captain: Will Enck

Software and systems engineers must now assume that adversity (being under attack) is the normal state of affairs. There is thus a high premium on generalizable architectural approaches to assuring continuity and recovery of acceptable service in the face of attacks and partial compromises, including continued provision of specified services and non-functional properties, including but not limited to security. The purpose of resiliency architectures is to provide generalizable design and implementation frameworks for assured continuity of acceptable service through and recovery of full service after attacks. Traditional dependability has aimed to fully mask all random failures, using diversity, redundancy, adaptation, evolution, and isolation. Our work focuses on (a) clarifying the nature of resiliency, including partial masking of intentional failures; providing foundations for rigorously specifying resiliency requirements (including metrics); and architectural strategies for meeting such requirements; (b) projects in redundancy, adaptation, and isolation; and finally (c) automated synthesis of resilient security architectures.

Evaluation

Investigators: Lindsey McGowen, David Wright, Jon Stallings

Goals: The lablet will design and implement a two-phased evaluation process for assessing the effectiveness and impact of the lablet’s research and community development activities. The evaluation will be structured around a program logic model that shows the anticipated connections between lablet activities and their ultimate impact. The motivations are ensuring accountability and guiding program management to improve outcomes.

Research Methods, Community Development, & Data Sharing:

Investigators: Jeff Carver, Lindsey McGowen, Ehab Al-shaer, Jon Stallings, Laurie Williams, David Wright

Goals: To build an extended and vibrant interdisciplinary community of science of security researchers, research methodologists, and practitioners. To create and maintain a repository of defensible scientific methods for security research. To encourage application of scientifically defensible research through various methods of consultation and feedback. To enable open, efficient, and secure sharing of data and experimental results for experimentation among SoS researchers.