Virginia Tech and UW-Madison awarded NSF funding to help developers write more secure code

Daphne Yao and Na Meng of Virginia Tech and Barton Miller of the University of Wisconsin-Madison have been awarded $1.2 million over four years by the National Science Foundation Secure and Trustworthy Cyberspace Program for their project entitled “Deployment-quality and Accessible Solutions for Cryptography Code Development.” The goal of the project is to help developers more easily write secure code. Yao says that she, Meng, and Miller are “very enthusiastic about helping improve the security quality of software production and transitioning research results to practice to solve real-world problems.”

Yao explains that vulnerabilities in cryptographic implementations seriously reduce the security guarantees of algorithms in practice and lead to attacks. Automatic code checking is often used to fix the vulnerable code problems, but existing code verification tools, which are often deficient in accuracy and scalability, cannot adequately cover cryptographic properties. The technology in this transition-to-practice project is to help secure cryptographic implementations, which are the foundation of many advanced systems. By making relevant research solutions deployment-grade, this effort can substantially improve the cryptographic coding practice and benefit software developers in all professions.

The project’s objective is to transition multiple secure cryptographic coding research solutions to practice and make it convenient and accessible to automatically screen programs against a wide range of cryptographic implementation vulnerabilities or misuses. The main technical enabler is a high precision and high throughput approach based on specialized program analysis techniques called CryptoGuard. CryptoGuard can detect a wide range of cryptographic misuses with ultra-low false alarm rates when used on complex and large-scale Java programs. The project leverages multiple popular software development and software security platforms to make these tools effective in production environments. The systematic benchmark and measurement work is designed to advance the science of security and substantially raises the standard and quality of cryptographic code screening.

More information about CrypoGuard can be found in this paper, which first appeared in the 2019 proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM CSS is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). 

Broad impacts for this project include developing online resources and in-person workshops and tutorials to train the current and next generations of professionals and leaders, which over time will significantly raise the awareness of secure coding; broadening the participation of computing (BPC) to allow K-12 children and people from underrepresented groups to get exposure to advanced computing knowledge; and substantially improving the cryptographic coding practice to benefit software developers in all professions.

Daphne Yao is a professor in the Department of Computer Science at Virginia Tech. She is the Elizabeth and James E. Turned Jr. ‘56 Faculty Fellow and CACI Faculty Fellow. Yao’s expertise is on software and system security, with a focus on detection and prediction accuracy. 

Na Meng is an assistant professor in the Department of Computer Science at Virginia Tech. Her main research interests are in software engineering and programming languages.

Barton Miller is the Vilas Distinguished Achievement Professor and Amar & Belinder Sohi Professor in Computer Science in the Department of Computer Sciences at the University of Wisconsin-Madison. He is also Chief Scientist of the DHS-funded Software Assurance Marketplace (SWAMP) research center. Miller’s main research areas are distributed and parallel program performance and tools, binary code analysis and instrumentation, computer security, scalable systems, operating systems, software testing.