CSC News

October 24, 2014

Cracking the Code

NC State Engineering | Pack Points
The attackers are winning.
Those attackers are hackers who exploit deficiencies in software code that allow them access to your credit card number and even your medical records. What’s at stake is more than money. In the case of vital healthcare software, lives could be at risk.
The US National Security Agency (NSA) established lablets at NC State, Carnegie Mellon and the University of Illinois in 2012 in hopes of taking a different approach to preventing cyber-attacks, to change how code is written and take away opportunities from thieves.
This year, those three universities were asked to compete against other schools to keep their lablets. The NSA invited 190 schools to submit proposals, but the agency renewed all three schools, and the University of Maryland was added to the program.
The Science of Security Lablet at NC State is housed in the Institute for Next Generation IT Systems, a joint university/government research organization tasked with working on current information technology challenges.
Dr. Laurie Williams and Dr. Michael Rappa, professors in the Department of Computer Science, were the original co-principal investigators in NC State’s lablet. Rappa is also founding director of NC State’s Institute for Advanced Analytics, which offers the nation’s first Master of Science degree in analytics. In 2014, Dr. Munindar Singh, also a professor in the Department of Computer Science, replaced Rappa as the co-PI with Williams.
Williams points to a number of reasons that hackers have the upper hand right now, chief among them the lure of a big financial windfall.
“For them, the payoff can be really high,” Williams said. “They’re willing to dedicate a lot of time to get in.”
For the developers writing software code, too often the financial incentives are reversed. With a push to get products out the door, not adding code that makes a product secure means time is saved.
Add to that the fact that software engineers are not taught to code securely. The fix often is as simple as replacing one line of code with another, but if no one knows about that secure option then mistakes are repeated. Attackers are familiar with those mistakes.
“There can be vulnerabilities that we all know about, and people just keep coding that way,” Williams said. “They just keep developing more and more software with the same vulnerabilities in them.”
Williams describes the current approach to security as often a reactive approach. We’ve been attacked — let’s fix that problem. But that turns into a cat-and-mouse game of chasing the attacker.
What if cyber security was looked at with a scientific approach with hypotheses and the research to back them up, plus repeatable research methods that can be used to teach? What if, instead of plugging holes, system designers worked together to make sure there are no holes to begin with?
Maybe then, the attackers will be put on the defensive. That’s the aim of the Science of Security Lablet.
At NC State, the lablet exemplifies the kind of interdisciplinary cooperation that is one of the university’s strengths. The lablet is based in the Department of Computer Science, but involves faculty from the departments of Electrical and Computer Engineering and Civil, Construction, and Environmental Engineering, along with the College of Education and departments of Psychology and Statistics.
The NSA provides $2 million to $2.5 million in annual funding to each lablet. At NC State, 16 faculty and 18 students are involved. Six collaborating university partners — Purdue, UNC-Chapel Hill, UNC-Charlotte, Alabama, Virginia and Rochester Institute of Technology — are also part of the NC State project.
The NSA asked the lablets to come up with five hard problems to solve. Those problems look not just at security metrics and the architecture of systems but how humans behave when they are interacting with the software that is being studied.
Being selected by the NSA for three more years of funding means the lablet at NC State will continue that work.
“Three years from now, I hope that we have made a lot of progress on those hard problems,” Williams said.

Return To News Homepage