Skip to main content

Understanding Human Error in Software Vulnerabilities

Primary Investigators:
Kevin Leach, Assistant Professor, Computer Science
Brief Description of Project:

Software defects lead to critical vulnerabilities that threaten disclosing sensitive information, disabling critical infrastructure, or risk human life and limb.  While many complex systems and techniques have been developed to automatically find certain classes of vulnerabilities automatically in software, little work has investigated the role the human developer plays in creating software defects.  This project focuses on understanding how and why human software developers mistakenly create software defects that lead to security vulnerabilities. 

During this project, the student will develop an interface for collecting human subject data.  In particular, we will design experiments that measure which defects humans are more likely to overlook, and what analyses we can conduct on source code to make vulnerabilities more apparent.  The end result will be a suite of indicative software vulnerabilities as well as a web-based interface for collecting human subject data.  We will run a pilot study by the end of the study, which will directly contribute to a longer-term study suitable for publication.

Desired Qualifications:
Students who are studying computer science and/or psychology are preferred.  Sophomore standing or higher is preferred.  Students should be willing to learn Python and Bash scripting, as well as tools for understanding software vulnerabilities like Ghidra or Infer.
Nature of Supervision:
Prof. Kevin Leach will routinely meet with the student once per week, where we will discuss plans to execute tasks.  In particular, the first few weeks will establish a plan to building a human subject study, and the student will spend the summer executing on that plan with regular progress expected.
A Brief Research Plan (period is for 10 weeks):
Week 1 - Study software vulnerabilities and software engineering practices
Weeks 2/3 - Develop indicative suite of vulnerabilities
Week 4 - Analyze candidate vulnerabilities and taxonomize as appropriate
Weeks 5/6 - Develop concrete research questions for quantifying human subject performance
Week 7 - Incorporate vulnerabilities into a web-based interface
Weeks 8/9 - Recruit pilot study participants, Analyze pilot study data and incorporate feedback into interface
Week 10 - Write up documentation, a final summary, and a presentation of accomplishments
Number of Open Slots: 2
Contact Information:
Name: Kevin Leach
Department: Computer Science