NSF Supports NYU WIRELESS Researchers’ Use of Psychology to Detect Software Vulnerabilities
Most software bug finding tools focus on a known type of problem and then look for it. In essence, a developer knows that a problem exists and writes code to check for bugs. Researchers at NYU WIRELESS are working to develop a new type of bug finding software that focuses on areas that developers are unaware of. The NYU researchers call such areas “developer blind spots” where a developer believes a program would behave in one manner, but it actually behaves differently. For example, a database programmer may expect that the user’s input will only be treated as data, and not as database commands (as happens in an SQL injection attack). Much like a blind-spots in a car, the developer cannot see or recognize issues within such areas, making them prime candidates for security issues.
Professors Justin Cappos and Yanyan Zhuang at NYU and Professor Martin Yeh at Pennsylvania State University have been recently awarded a two-year, $233K collaborative award from the National Science Foundation to pursue research on software blind spots. This work brings experts from psychology, software engineering, and security together to apply domain-specific knowledge to address a problem of dire importance.
Some preliminary work in this area (in collaboration with Daniela Oliveira at the University of Florida) has already shown encouraging results, with papers already accepted at the New Security Paradigms Workshop (NSPW 2014) and the 30th Annual Computer Security Applications Conference (ACSAC 2014). An initial pilot study with 47 developers showed that security is not part of the mindset of most developers while coding. However, priming the developer with information about potential blind spots in context helped developers to identify and understand security vulnerabilities accurately.
In their on-going work, the PIs are working to further understand the psychological underpinnings of security bugs. Furthermore, by incorporating bug information into intelligent tutors or checking tools, there is the promise to use psychological information from one set of users to help others. Co-PI Zhuang stated “Working with experts like Prof. Oliveira and Yeh has enabled us to target software bugs with a fresh perspective.” The PIs expect that the application of these findings may cross different techniques and tool types. PI Cappos says “One nice outcome is that the findings from this work should integrate well into existing bug finding techniques. As such, we believe this technique will have positive impact and be easy to deploy. The sky is the limit.”