Predicting the Difficulty of Compromise through How Attackers Discover Vulnerabilities

PI(s), Co-PI(s), Researchers:

PI: Andrew Meneely; Co-PI: Laurie Williams; Researchers: Ben Meyers and Nasif Imtiaz

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Metrics

PUBLICATIONS
Papers were written as a result of your research from the current quarter only.

• Benjamin Meyers, Sultan Fahad Almassari, Brandon N. Keller, and Andrew Meneely, "Examining Penetration Tester Behavior in the Collegiate Penetration Testing Competition" , accepted to ACM Transactions on Software Engineering Methodologies, 25 pages.

• Imtiaz, Nasif; Thorn, Seaver; Williams, Laurie, "A comparative study of vulnerability reporting by software composition analysis tools", 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2021).

• Bhattacharya, Saikath; Singh, Munindar P.; Williams, Laurie, "Software Security Readiness and Deployment", 2021 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), in proceedings ISSREW 2021.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

• Ben Meyers passed his dissertation proposal exam on December 10, 2021. His work is based on helping developers confront human errors in micro-post mortems. We have submitted the proposal document as a "draft" via NCSU for your information.
• Our apology mining study is going well. We have collected over 88.6 million comments from 17,378 of the top repositories spanning 45 different programming languages. We are using this corpus with word embedding and BERT to find instances of self-admitted human errors. This analysis will help us develop classifiers that recognize instances of self-admitted human error, which we plan to aggregate into a process we are calling "micro post-mortems". This work is the basis for Ben Meyers' dissertation and has a thorough plan, including a systematic literature review of human error research in software engineering, a user study, and a tool proof-of-concept implementation.
• A comparative analysis of vulnerability reporting by software composition analysis tools" has been accepted at the 15th International Symposium on Empirical Software Engineering and Measurement (ESEM'21).
• We conducted an empirical study on security releases of open source packages. The goal of this study is to aid software practitioners and researchers in understanding the current practice of releasing security fixes by open source packages and identifying areas for improvement through an empirical study of security releases.
• An extended abstract discussing Software Security Engineering (SSE) and Software Reliability Engineering (SRE) was presented in the IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

COMMUNITY ENGAGEMENT

EDUCATIONAL ADVANCES:

• None.