Mazurek, Hicks Receive Google Faculty Research Award
Two faculty researchers in the Maryland Cybersecurity Center (MC2) recently received funding from Google to develop tools and strategies that encourage software developers to write more secure code.
Michelle Mazurek, an assistant professor of computer science, and Michael Hicks, a professor of computer science, received a $55,000 Google Faculty Research Award for a project that builds upon previous work.
The goal of the Google-funded project, Mazurek says, is to combine controlled experiments with observations from the Build It, Break It, Fix It contest—a unique cybersecurity competition conceived in 2013 by Hicks—and learn what tools and strategies work best when real developers use them.
“Despite many years of software security research, well-known security bugs continue to reappear,” says Mazurek. “In this work, we want to understand how and why these bugs continue to recur in practice, and what tools or strategies really work best to prevent them."
After running Build It, Break It, Fix It multiple times, Hicks and Mazurek co-authored a paper along with Dave Levin, an assistant professor of computer science with an appointment in MC2, that shares observations from the competition. They looked closely at 116 teams faced with two programming problems, finding that the most efficient contest submissions used the C/C++programming language, but submissions coded in other, statically typed languages were less likely to have a security flaw.
Additionally, teams with diverse programming-language knowledge also produced more secure code.
“These results validate some existing beliefs about how to promote secure development—for example, using safer languages—and also point to new questions about additional factors that contribute to secure development,” Mazurek says.
Mazurek, who is the principal investigator of the Google award, says the funding also supports another project she is working on that examines how vulnerabilities in Android code have enabled real-world privacy leaks.
Security experts have speculated that appification—the term used to describe a rapidly increasing mobile environment—promotes security problems, Mazurek says, as it increasingly allows inexperienced laymen to develop complex and sensitive apps.
Mazurek’s recent research looks into this phenomenon, systematically analyzing how the use of information resources impacts code security.
Her research group authored a paper based on a survey of 295 app developers who have published in the Google Play marketplace. Based on survey results, the group conducted a follow-up study with 54 Android developers (students and professionals), where participants were charged with writing security- and privacy- relevant code under time constraints.
The study found that developers who were required to use only the Stack Overflow website—where developers ask and answer questions about programming—were more likely to get their code running in wihin the short time frame; however, the results were less secure than for developers who were required to use official Android documentation.
“These results suggest that we need a new approach to documentation, one that combines the user-friendliness and responsiveness of Stack Overflow with the security and correctness properties of official documentation,” Mazurek says.
Google Faculty Research Awards are one-year awards structured as unrestricted gifts. The funding supports research for permanent faculty members at top universities around the world who are pursuing cutting-edge research in areas of mutual interest.
In addition to their affiliation with MC2, Mazurek, Hicks and Levin all have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).
MC2 is supported by the College of Computer, Mathematical, and Natural Sciences and the A. James Clark School of Engineering. It is one of 16 centers and labs in UMIACS.
—Story by Melissa Brachfeld
February 28, 2017