Creating strong passwords and installing the latest updates are basic recommendations for consumers who want to protect their data and devices. But what happens on a higher level? Can they trust products and technologies to be stable and secure?
More assurance will be provided by two projects focusing on smart device security compliance and software code change decisions, respectively led by assistant professors of computer science Adwait Nadkarni and Oscar Chaparro.
Nadkarni and Chaparro are also the latest William & Mary computer scientists to have received a CAREER award, one of the National Science Foundation’s most prestigious distinctions recognizing early-career faculty leadership in both education and research. The combined value of the two awards amounts to over $1 million in funding.
“As a recipient myself of this honor back in 1997, I recognize the value the CAREER award bestows individually to researchers doing great work early in their careers as well as the distinction lent to the institution,” said Provost Peggy Agouris. “They’ve added two fresh feathers in our cap. I could not be more proud of Adwait and Oscar for this recognition, and I look forward to seeing what they both accomplish next.”
Both Nadkarni and Chaparro’s projects will involve William & Mary students and lead to mentoring opportunities. Nadkarni will develop two experiential learning activities enhancing security course offerings; the tools developed by Chaparro will be integrated into undergraduate and graduate courses.
As highlighted by Evgenia Smirni, Sidney P. Chockley Professor and computer science department chair, both awards underscore the department’s outstanding research record over the years.
“With these two NSF CAREER awards, the computer science department reaches a total of 18 CAREER awards that its current and former faculty have won while at W&M,” commented Smirni. “Indeed, every single computer science professor hired since 2004 has received at least one CAREER award, rivaling many of the top-ranked research computer science departments in the nation.”
Improving security compliance for smart products
Nadkarni’s project aims to bring about a radical shift in security compliance for smart products, which he defines as the “millions of products that people are using and are connected not only to their digital environment, but also to their physical environment.”
To tackle the privacy and security issues introduced by these products, governments have started outlining regulations and standards, but are not able to directly enforce them. Enforcement of these protocols is delegated to licensed testing laboratories, which are accredited based on their technical capabilities rather than their performance. Vendors who need to certify their smart products will then contract one of the approved testing facilities to carry out a thorough security evaluation.
“We need to help labs get better at doing their evaluations and at actually detecting vulnerabilities. We need to help vendors get better at selecting labs,” summed up Nadkarni. Currently, his project asserts, vendors do not have sufficient criteria to help them choose a testing facility – apart from their own familiarity with certain centers, and the reputation these have.
As pointed out by Nadkarni, good reputation does not always equate with good performance, as it may overlook defects that went undetected for a long time. This may lead to flooding the market with smart products that are fully certified, but still vulnerable, with tangible real-life consequences. For example, non-secure smart locks can let intruders into owners’ homes, and compromised smart appliances such as baby monitors can grant malicious access to the user’s highly private video feed.
Indeed, Nadkarni and his team found vulnerabilities in more than three quarters of the certified products they examined, potentially impacting more than 6 million users. His project will design data-driven methods to ensure that testing centers look for the right vulnerabilities with sufficient rigor and plans to reimagine an effective system automatically evaluating products and providing actionable feedback.
“Our vision is to reform compliance enforcement for this new era of smart products, by empowering the affected party, regulators and consumers with practical tools to objectively measure the performance of the certifying labs at detecting vulnerabilities. This will radically alter the incentive structure ingrained in security compliance enforcement, with objective checks and balances in place,” said Nadkarni, whose project will bring novel contributions at the nexus of security and software engineering.
Nadkarni’s previous work validated security tools, investigating whether they were actually detecting all the vulnerabilities they claimed to. His current CAREER project can be interpreted as a real-world application of the same concept on a wider scale.
“Security compliance enforcement generally leverages the same automated vulnerability detection tools that our previous work has evaluated and developed for smart home products. Building on our previous work, this project is essentially a higher-level security evaluation of the compliance ecosystem, because evaluation is looking for vulnerabilities,” said Nadkarni.
“Our project will generate tangible benefits for consumers in the form of secure smart products and has the potential to increase consumer confidence in and adoption of smart technology.”
Informed decision-making for higher-quality software
The general public – in addition to software developers – will also be able to reap the benefits from Chaparro’s project, which will ultimately lead to higher-quality software.
Chaparro’s project aims to transform the way software developers update software systems through informed decision-making.
“The goal is to assist developers in making the right choices at the moment of modifying the code,” said Chaparro. “These choices would not only implement the required functionality but also improve the code’s internal quality and minimize possible defects we may introduce in our apps and software.”
Uninstalling an app that keeps crashing is a common experience among users; this is only one of the consequences of defective software, which can have a much deeper impact on people and processes.
In the United States alone, low-quality software has cost an estimated $2.4 trillion in 2022, resulting in loss of productivity and disrupting essential business processes.
Defective software does not only affect virtual environments. It can have a very tangible impact in areas such as aviation and health care, leading to thousands of stranded passengers and untreated patients.
“There is a lot of complexity in software, which is made up of hundreds or thousands of components. Software engineers who need to update software systems, for example with new functionalities, need to cope with that complexity and understand how the code works and why it was modified the way it was,” explained Chaparro.
“The problem is that information about prior code changes is hard to get. It is often scattered across various places, from people’s heads to code reviews to email messages. This means that developers may not have all the knowledge they need when changing the code, which may result in poor decisions, low-quality code and defects. We want to solve these challenges, which affect many software users.”
From his own background as a software developer, Chaparro remembered how partial and fragmented documentation could be, with much information coming from people who could move on to different positions at any moment.
“We need ways to help developers better understand the code because previous modifications may not match the mental model of the developer trying to update the code,” he said. “There is often no explanation for previous changes, or it exists, but it’s fragmented.”
Chaparro’s project aims to develop a theory of how developers make code change decisions, addressing a gap in software engineering practice.
“We expect to put together a catalog of patterns in solving code problems, which will allow us to make actionable recommendations to developers on how they should properly change the code,” he said. “Also, we will develop algorithms and tools capturing information about software changes in real-time, making it more accessible to developers who will later update the code. Finally, we will develop algorithms and tools to recommend code changes based on similar issues encountered in previous updates, so that developers learn from past failures and successes.”
Results from this project will be disseminated and shared with the whole community of software developers, “including the open-source community, which many software systems nowadays depend on, and private organizations,” aiming for a radical shift in development practices to produce higher-quality software.
“The educational plan presented in this proposal will educate the next generation of software developers,” commented Chaparro, whose graduate course includes activities that require students to make code changes while documenting the process.
Antonella Di Marzio, Senior Research Writer