NSF Supports Researchers’ Use of Psychology to Detect Software Vulnerabilities

Most software bug-finding tools require a developer to know that a problem exists and then to write code to check for it.

Researchers are now pursuing software that would find bugs even when developers do not understand a security problem—in so-called “developer blind spots.” Much like blind spots in a car, the developer cannot see issues within such areas, making them prime candidates for attacks.  For example, a database programmer may expect that a user’s input will only be treated as data, but in the commonplace SQL injection attack, data is transformed into database commands. 

The National Science Foundation awarded $233,000 for a two-year investigation of these software blind spots to Assistant Professor Justin Cappos and Research Assistant Professor Yanyan Zhuang, both of the Computer Science and Engineering Department of the NYU Polytechnic School of Engineering, and Assistant Professor Martin Yeh of Pennsylvania State University. This work will bring together experts from psychology, software engineering, and security.

Research Assistant Professor Yanyan Zhuang

Some preliminary work (in collaboration with Daniela Oliveira of the University of Florida) has already shown encouraging results, with papers accepted at the New Security Paradigms Workshop (NSPW 2014) and the 30th Annual Computer Security Applications Conference (ACSAC 2014).  A pilot study with 47 developers demonstrated that most developers do not consider security while coding; however, priming developers with information about potential blind spots helped them accurately identify and understand vulnerabilities.

The research seeks to understand the psychological underpinnings of security bugs.  Furthermore, by incorporating bug information into intelligent tutors or checking tools, psychological information from one set of users might help others.