This page chronicles the research work that I’ve done in the past during undergraduate and graduate school.
Writing Secure Java Code: A Taxonomy of Heuristics and an Evaluation of Static Analysis Tools
- Graduate School, Master’s Thesis, August 2007 to May 2008
- Abstract: The software security community is currently emphasizing the development of secure coding standards and their automated enforcement using static analysis techniques. Unlike languages such as C and C++, a secure coding standard for the Java programming language does not exist. In this thesis, a comprehensive collection of coding heuristics for writing secure code in Java SE 6 are organized into a taxonomy according to the design principles they help to achieve. By mapping secure coding heuristics to design principles, the goal is to help developers become more aware of the quality and security-related design problems that arise when specific coding heuristics are violated. The taxonomy’s design-driven methodology also aims to make understanding, applying, and remembering both design principles and coding heuristics easier. To determine how well the collection of secure coding heuristics can be enforced using static analysis techniques, eight tools are subjected to 72 test cases that comprise a total of 115 distinct coding heuristic violations. A significant number of serious violations, some of which make attacks possible, were not identified by any tool. Even if all of the tools were combined into a single tool, more than half of the violations included in the study would not be identified.
- Download (single-spaced)
- Download (double-spaced)
- Download secure coding test cases
- Download secure coding custom detectors for FindBugs
Software Fault Analysis and Prediction
- Undergraduate School, October 2005 to May 2006
- I performed software fault analysis and prediction research under the direction of a faculty advisor on a NASA IV&V grant. We attempted to develop a new model (metrics) for predicting faults in code based on novel parameters. We called it NIF (Nested Information Flow). NIF has the goal of indicating which code modules are most likely to contain faults by considering the connectivity and data flow among modules at deep nested levels.
Security Requirements Engineering
- Undergraduate School, May 2005 to August 2005, University of South Carolina
- I performed software security requirements research for ten weeks during a Research Experience for Undergraduates program in Multidisciplinary Computing sponsored by the National Science Foundation. I hypothesized that by first identifying threats to the use case actors of a software system, the Common Criteria could then be used to effectively specify security requirements to mitigate threats. I developed a use case development tool in Java that utilizes a Common Criteria knowledge base to carry out my approach.
- Undergraduate School, December 2004 to May 2005
- Our team worked alongside the Steganography Analysis Research Center (SARC). Our primary objective was to establish a repository of steganographic signatures and analysis tools to be used by computer forensic tools.
- Undergraduate School, May 2004 to September 2004
- Our primary goal was to discover ways to increase the security awareness of normal, everyday computer users. We analyzed the behaviors and technical footprints of several types of malware, such as viruses, worms, trojans, and spyware. Based on our findings, we designed and developed an educational tool for non-technical users of Microsoft Windows called A Windows Attack intRusion Emulator (AWARE) that emulates malware attacks in a simulated Windows XP environment.