We can lock our doors, install home security systems, and fend off intruders with guard dogs, but none of those measures can shield our digital world—a world containing precious information about our lives, our work, and our money.
New Internet threats emerge all the time, and industries must employ the latest security measures to combat ever-changing threats. To help industries defend themselves, the Security and Software Engineering Research Center (S2ERC) explores ways to improve such security measures.
What’s in the name?
The S2ERC is a National Science Foundation (NSF) cooperative research project that is headquartered at Ball State. The university has received numerous NSF grants to support the center, including its most recent five-year grant of $521,000.
Working in collaboration with other universities, the center tailors its research to industries’ specific needs, with the goal of improving software products, software development processes, and security systems.
“Basically, what we do is analyze the heck out of software,” says Dolores Zage, research coordinator for the center and assistant professor of computer science.
The S2ERC works to fix and prevent software problems for over 27 large companies and government agenciessuch as AT&T, John Deere, NASA, Ontario Systems, Raytheon, Rockwell Collins, and the U.S. Department of Homeland Security.
“We can find errors in your code before you write the code …. using the information in a software design, which comes before the code, much like an architect has a blueprint (design) of a building before the building is constructed,” says center Director Wayne Zage, professor of computer science. “That’s the idea—catch problems early in the life cycle.”
“We created software metrics that highlighted problem areas in the software,” says Dolores. “When you’re developing software, if you had to spend an equal amount of time reviewing every section, you’d never finish or you’d spend too much money, so practitioners kept asking us, ‘Well, where are my problem spots?’ And guess what—those metrics pointed out very well where they were.”
“Motorola used these design metrics to identify where to place testing effort,” says Wayne. “The design metrics can identify modules that could be trouble—stress points. That’s where software developers at Motorola placed their testing effort.”
“Basically it gives you better software. And don’t we all want better software?” Dolores says with a smile.
The S2ERC’s metrics technology has been applied in myriad domains. “We’ve analyzed code from missile defense systems, radar systems, financial systems from the U.S. Army, telecommunications systems, all kinds,” she says. “Our metrics are consistent … identifying stress points in all of those systems.”
With all of this exciting research, those working for the center never run out of things to do. “The research never finishes,” says Dolores. “There’s always an open question. The more you delve, the more detail there is.”
The MIDAS touch
The S2ERC may not specialize in turning code into gold but its design metrics might be just as valuable. One of its current research areas is MIDAS (Metrics IDentification of Attack Surfaces) which is one way to predict weak areas in software.
To understand MIDAS, recall the movie 300 when Spartan King Leonidas fends off thousands of Persian soldiers with his small band of 300 during the Battle of Thermopylae. “At the battle … these soldiers were able to stave off thousands because they had that small attack surface (area to protect). They could actually defend that space,” says Dolores. “So naturally, this is the same in software. The smaller your attack surface, the less you have to protect and defend.
“The problem in software is that I only know about the attack surface when the code is done, and that’s very late. I want to predict that attack surface beforehand in the design of the code.”
In addition to the Ball State headquarters, there are three other S2ERC centers at Georgetown University, Iowa State University, and Virginia Tech. Nine additional universities participate in the research, including Indiana schools IPFW, IUPUI, and Purdue University. “Each of these schools brings in a whole set of researchers that complement what we already have—they add to our skill profile so that we can solve unique and different kinds of problems,” says Wayne.
“These centers are set up to solve technical problems in the country,” he says, “and what better way than to work with industry and government agencies and the top researchers in the country to get that done?”
The S2ERC centers actually customize their research efforts based on the needs of the affiliates. The affiliates become members of the S2ERC for a fee and can vote on research projects. About 25 funded projects are worked on at a time.
The affiliates do more than vote, though. “The affiliates are a tremendous bunch. They really add a lot to the center,” Wayne says. “They’re not just managers that come by. They are true technical people. Some have their own patents and some are distinguished researchers in their own right.”
How it all began
In 1976, the National Science Foundation established the Industry/University Cooperative Research Center(I/UCRC) Program to encourage more collaborative endeavors between academia and industry. The S2ERC is one of these established I/UCRC centers. It began as the SERC, or the Software Engineering Research Center at Purdue University and the University of Florida in Gainesville in 1986, making it the second oldest center still in operation. Wayne says each I/UCRC center typically has one lead university and other collaborative university sites.
In 2001, the SERC headquarters moved to Ball State. In 2009, Ball State’s center joined with another one, adding “Security and” to its name—hence the S2. Since the 1970s, NSF has established more than 100 I/UCRC centers and continues to establish centers. These centers’ diverse foci include advanced electronics and photonics; advanced manufacturing; advanced materials; biotechnology; civil infrastructure systems; energy and environment; health and safety; information, communication, and computing; and system design and simulation.
The Zages’ design metrics work earned the Alexander Schwarzkopf Prize for Technological Innovation. Each year, all of the I/UCRC centers can nominate one project for this national award, and Ball State’s received the prestigious honor in 2007.
Students who are interested in the S2ERC’s work are welcome to join in. “We’re supporting, through the center, anywhere from four to six students at any given time, and that’s a lot of fun,” says Wayne. “Our work has led to over 50 master’s theses and creative projects at Ball State.”
The university has helped the center achieve its goals. “Ball State’s been really supportive,” he says. “We could never do this without Ball State, at all levels.”