From Rochester Institute of Technology (US) : “RIT researchers are making software secure by design”

From Rochester Institute of Technology (US)

April 2, 2021
Scott Bureau

Faculty and students create tools to help engineers and programmers build better software.

Joanna C. S. Santos, a computing and information sciences Ph.D. student, is developing ways to detect software design problems by analyzing a program’s source code. She is part of a team of RIT researchers working to analyze and change the way people create and maintain complex software systems. Credit: Gabrielle Plucknette-DeVito.

In the Global Cybersecurity Institute’s new research space, RIT experts are tackling some of the most pressing computing security problems of today.

These researchers include Mehdi Mirakhorli, associate professor of software engineering, and his student team. Together, they are working to make large-scale software systems more secure and resilient.

“Fifty percent of vulnerabilities in today’s software systems are because of design flaws,” said Mirakhorli, who was named Kodak Endowed Scholar in the Golisano College of Computing and Information Sciences. “Today, we patch security bugs, but we don’t get to the root of the problem and identify architectural flaws in the software.”

Software architecture goes beyond just code, explained Mirakhorli. It starts by looking at the unique set of goals that a system needs to accomplish. Whether it’s a banking system or electronic medical records, most software requires reliability, availability, security and performance. However, if the pieces don’t fit together perfectly, the whole system can crumble.

“Not all programmers are designers that understand these important software design principles,” said Mirakhorli. “However, it takes years of experience to become a designer and they are expensive, so we have fewer of them in the industry.”

To help fill this knowledge gap, and make it easier for programmers to put design first, Mirakhorli and his team are finding ways to make software design more intuitive. With more than $4 million in support from the National Science Foundation (US) (NSF), Defense Advanced Research Projects Agency (US) (DARPA) and other organizations, they are developing tools and techniques to help coders take an architectural approach to software design.

Changing the culture of development

As a teacher, Mirakhorli noticed a lack of emphasis on design thinking in the classroom. Many computing students don’t learn about software architecture until the end of college or even when they’re already in industry.

That’s why Mirakhorli made it his long-term goal to synthesize software design into something more intuitive particularly for new learners and novice programmers.

In 2020, he received a prestigious NSF Faculty Early Career Development (CAREER) award for his efforts in software architecture.

His project aims to change software design and programming from a purely manual and exclusive task, to one in which a programmer and an automated design synthesis tool can collaborate to generate software design and implementation that meets its quality attributes scenarios.

“I’m essentially creating a new programming language that makes it easier for people to express design intent,” said Mirakhorli. “This tool would walk programmers through architecture step-by-step and tell them if they’re violating any design principles. This will lead to fewer errors and security problems.”

For example, a programmer who is excited about adding a login and password to their system, might not know exactly where to place their technology. If they locate it on the client-side, they could expose their system to an authentication bypass vulnerability.

With Mirakhorli’s tool in-hand, a programmer would automatically be made aware of this vulnerability and learn how to mitigate it.

As part of the CAREER award, Mirakhorli is looking at software design from a cognitive perspective. He meets with new students, novice programmers and expert designers to learn how different people approach architecture problems. He is also developing artificial intelligence that can learn best practices from good software systems out in the world today.

“With this new tool, everyone can start using design thinking from the very beginning,” Mirakhorli said. “This will make our software secure by construction.”

Tools to guide good architecture

The RIT research team is also developing tools and techniques that can be used by programmers to detect more vulnerabilities and be more productive.

To better understand current architectural vulnerabilities, Mirakhorli’s team cataloged more than 200 known architectural flaws that can lead to security vulnerabilities. The project is called the Common Architectural Weaknesses Enumeration and it’s supported by the National Cyber Security Division at the Department of Homeland Security and MITRE Corp.

In another study, Danielle Gonzalez, a computing and information sciences Ph.D. student, and Mirakhorli examined common security architectural weaknesses in Industrial Control Systems (ICS)—the units that support manufacturing, electrical power grids and many other critical infrastructures.

After looking at nearly 1,000 vulnerability reports, the team found that almost 63 percent of vulnerability disclosures in ICS had an architectural root cause. The most common architectural weakness was improper input validation. The human-machine interfaces in these systems happened to be the most affected components.

“Many of these systems were not originally designed with internet connectivity in mind, but they are being adapted with new technology that allows managers to do things like monitor a station from their smartphone,” said Gonzalez, who is from Franklinville, N.Y. “We need to pay attention to these security issues and how adding technology affects the architecture.”

Using these findings, the researchers in RIT’s Software Design and Productivity Lab are creating guidelines that can help current programmers with resilient architecture, testing validation and using application programming interfaces (API).

In a project funded by DARPA, Mirakhorli is detecting design flaws at the model level, to ensure that systems are reliable and resilient to cyber incidents. The project, called Achilles, looks for any major architecture weaknesses that could bring a system down entirely.

“For example, if any software module on an airplane crashes mid-flight, we still want it to be reactive to ensure that the plane is functional,” said Mirakhorli. “We want to make sure that fault detection and recovery mechanisms don’t have any design flaws that compromise safety and resiliency.”

In another project, Gonzalez is supporting developer’s efforts to test their implementations of security-related design decisions, by creating a guide for unit testing authentication.

“Programmers are not necessarily used to writing security-minded test cases, so these resources help by explaining exactly what to test for security-related code and how to test it,” said Gonzalez. “As we work to incorporate security into earlier phases of software development, it’s important to support programmers as they adjust to these changes.”

Another important concern that researchers have regarding software architecture, is making sure it’s correctly implemented in a program. Ali Shokri, a computing and information sciences Ph.D. student from Iran, is developing an approach—called ArCode—that helps programmers correctly implement architectural tactics and patterns.

ArCode aims to work as a learning process, by inferring correct ways to incorporate APIs of application frameworks in a program. It then analyzes any under development in the program to identify deviations from the correct implementation. Finally, it provides recommendations on how to fix the problem.

With this approach, Shokri hopes to find errors that compilers are not able to identify—known as semantic errors—and help programmers fix them to avoid software crashes in the runtime, which can cause severe damage.

RIT researchers have other answers for coding problems too. Joanna C. S. Santos, a computing and information sciences Ph.D. student, wants to help programmers who make simple mistakes in input validation. She is creating DODO, a tool that automatically analyzes a program’s source code.

“It’s like when you forget to lock your door—mistakes happen,” said Santos, who is from Brazil. “Programmers will miss a validation or have a broken validation.”

For the project, she looked at three large open source systems and found that input validation problems were the most common error in that software. By observing common validation problems and using artificial intelligence to collect data, Santos is working to develop a sound program analysis that allows her tool to pinpoint where errors might occur.

Learn more about RIT’s computing security research on the Global Cybersecurity Institute website.

See the full article here .


Please help promote STEM in your local schools.

Stem Education Coalition

Rochester Institute of Technology (RIT)(US) is a private doctoral university within the town of Henrietta in the Rochester, New York metropolitan area.

RIT is composed of nine academic colleges, including National Technical Institute for the Deaf(RIT)(US). The Institute is one of only a small number of engineering institutes in the State of New York, including New York Institute of Technology, SUNY Polytechnic Institute, and Rensselaer Polytechnic Institute(US). It is most widely known for its fine arts, computing, engineering, and imaging science programs; several fine arts programs routinely rank in the national “Top 10” according to US News & World Report.

The university offers undergraduate and graduate degrees, including doctoral and professional degrees and online masters as well.

The university was founded in 1829 and is the tenth largest private university in the country in terms of full-time students. It is internationally known for its science; computer; engineering; and art programs as well as for the National Technical Institute for the Deaf- a leading deaf-education institution that provides educational opportunities to more than 1000 deaf and hard-of-hearing students. RIT is known for its Co-op program that gives students professional and industrial experience. It has the fourth oldest and one of the largest Co-op programs in the world. It is classified among “R2: Doctoral Universities – High research activity”.

RIT’s student population is approximately 19,000 students, about 16,000 undergraduate and 3000 graduate. Demographically, students attend from all 50 states in the United States and from more than 100 countries around the world. The university has more than 4000 active faculty and staff members who engage with the students in a wide range of academic activities and research projects. It also has branches abroad, its global campuses, located in China, Croatia and United Arab Emirates (Dubai).

Fourteen RIT alumni and faculty members have been recipients of the Pulitzer Prize.


The university began as a result of an 1891 merger between Rochester Athenæum, a literary society founded in 1829 by Colonel Nathaniel Rochester and associates and The Mechanics Institute- a Rochester school of practical technical training for local residents founded in 1885 by a consortium of local businessmen including Captain Henry Lomb- co-founder of Bausch & Lomb. The name of the merged institution at the time was called Rochester Athenæum and Mechanics Institute (RAMI). The Mechanics Institute however, was considered as the surviving school by taking over The Rochester Athenaeum’s charter. From the time of the merger until 1944 RAMI celebrated The former Mechanics Institute’s 1885 founding charter. In 1944 the school changed its name to Rochester Institute of Technology and re-established The Athenaeum’s 1829 founding charter and became a full-fledged research university.

The university originally resided within the city of Rochester, New York, proper, on a block bounded by the Erie Canal; South Plymouth Avenue; Spring Street; and South Washington Street (approximately 43.152632°N 77.615157°W). Its art department was originally located in the Bevier Memorial Building. By the middle of the twentieth century, RIT began to outgrow its facilities, and surrounding land was scarce and expensive. Additionally in 1959 the New York Department of Public Works announced a new freeway- the Inner Loop- was to be built through the city along a path that bisected the university’s campus and required demolition of key university buildings. In 1961 an unanticipated donation of $3.27 million ($27,977,071 today) from local Grace Watson (for whom RIT’s dining hall was later named) allowed the university to purchase land for a new 1,300-acre (5.3 km^2) campus several miles south along the east bank of the Genesee River in suburban Henrietta. Upon completion in 1968 the university moved to the new suburban campus, where it resides today.

In 1966 RIT was selected by the Federal government to be the site of the newly founded National Technical Institute for the Deaf (NTID). NTID admitted its first students in 1968 concurrent with RIT’s transition to the Henrietta campus.

In 1979 RIT took over Eisenhower College- a liberal arts college located in Seneca Falls, New York. Despite making a 5-year commitment to keep Eisenhower open RIT announced in July 1982 that the college would close immediately. One final year of operation by Eisenhower’s academic program took place in the 1982–83 school year on the Henrietta campus. The final Eisenhower graduation took place in May 1983 back in Seneca Falls.

In 1990 RIT started its first PhD program in Imaging Science – the first PhD program of its kind in the U.S. RIT subsequently established PhD programs in six other fields: Astrophysical Sciences and Technology; Computing and Information Sciences; Color Science; Microsystems Engineering; Sustainability; and Engineering. In 1996 RIT became the first college in the U.S to offer a Software Engineering degree at the undergraduate level.


RIT has nine colleges:

RIT College of Engineering Technology
Saunders College of Business
B. Thomas Golisano College of Computing and Information Sciences
Kate Gleason College of Engineering
RIT College of Health Sciences and Technology
College of Art and Design
RIT College of Liberal Arts
RIT College of Science
National Technical Institute for the Deaf

There are also three smaller academic units that grant degrees but do not have full college faculties:

RIT Center for Multidisciplinary Studies
Golisano Institute for Sustainability
University Studies

In addition to these colleges, RIT operates three branch campuses in Europe, one in the Middle East and one in East Asia:

RIT Croatia (formerly the American College of Management and Technology) in Dubrovnik and Zagreb, Croatia
RIT Kosovo (formerly the American University in Kosovo) in Pristina, Kosovo
RIT Dubai in Dubai, United Arab Emirates
RIT China-Weihai Campus

RIT also has international partnerships with the following schools:[34]

Yeditepe University in Istanbul, Turkey
Birla Institute of Technology and Science in India
Pontificia Universidad Catolica Madre y Maestra (PUCMM) in Dominican Republic
Instituto Tecnológico de Santo Domingo (INTEC) in Dominican Republic
Universidad Tecnologica Centro-Americana (UNITEC) in Honduras
Universidad del Norte (UNINORTE) in Colombia
Universidad Peruana de Ciencias Aplicadas (UPC) in Peru


RIT’s research programs are rapidly expanding. The total value of research grants to university faculty for fiscal year 2007–2008 totaled $48.5 million- an increase of more than twenty-two percent over the grants from the previous year. The university currently offers eight PhD programs: Imaging science; Microsystems Engineering; Computing and Information Sciences; Color science; Astrophysical Sciences and Technology; Sustainability; Engineering; and Mathematical modeling.

In 1986 RIT founded the Chester F. Carlson Center for Imaging Science and started its first doctoral program in Imaging Science in 1989. The Imaging Science department also offers the only Bachelors (BS) and Masters (MS) degree programs in imaging science in the country. The Carlson Center features a diverse research portfolio; its major research areas include Digital Image Restoration; Remote Sensing; Magnetic Resonance Imaging; Printing Systems Research; Color Science; Nanoimaging; Imaging Detectors; Astronomical Imaging; Visual Perception; and Ultrasonic Imaging.

The Center for Microelectronic and Computer Engineering was founded by RIT in 1986. The university was the first university to offer a bachelor’s degree in Microelectronic Engineering. The Center’s facilities include 50,000 square feet (4,600 m^2) of building space with 10,000 square feet (930 m^2) of clean room space. The building will undergo an expansion later this year. Its research programs include nano-imaging; nano-lithography; nano-power; micro-optical devices; photonics subsystems integration; high-fidelity modeling and heterogeneous simulation; microelectronic manufacturing; microsystems integration; and micro-optical networks for computational applications.

The Center for Advancing the Study of CyberInfrastructure (CASCI) is a multidisciplinary center housed in the College of Computing and Information Sciences. The Departments of Computer science; Software Engineering; Information technology; Computer engineering; Imaging Science; and Bioinformatics collaborate in a variety of research programs at this center. RIT was the first university to launch a Bachelor’s program in Information technology in 1991; the first university to launch a Bachelor’s program in Software Engineering in 1996 and was also among the first universities to launch a Computer science Bachelor’s program in 1972. RIT helped standardize the Forth programming language and developed the CLAWS software package.

The Center for Computational Relativity and Gravitation was founded in 2007. The CCRG comprises faculty and postdoctoral research associates working in the areas of general relativity; gravitational waves; and galactic dynamics. Computing facilities in the CCRG include gravitySimulator, a novel 32-node supercomputer that uses special-purpose hardware to achieve speeds of 4TFlops in gravitational N-body calculations, and newHorizons [image N/A], a state-of-the art 85-node Linux cluster for numerical relativity simulations.

gravitySimulator at the Center for Computational Relativity and Gravitation, RIT, Rochester, New York, USA.

The Center for Detectors was founded in 2010. The CfD designs; develops; and implements new advanced sensor technologies through collaboration with academic researchers; industry engineers; government scientists; and university/college students. The CfD operates four laboratories and has approximately a dozen funded projects to advance detectors in a broad array of applications, e.g. astrophysics; biomedical imaging; Earth system science; and inter-planetary travel. Center members span eight departments and four colleges.

RIT has collaborated with many industry players in the field of research as well, including IBM; Xerox; Rochester’s Democrat and Chronicle; Siemens; National Aeronautics Space Agency(US); and the Defense Advanced Research Projects Agency (US) (DARPA). In 2005, it was announced by Russell W. Bessette- Executive Director New York State Office of Science Technology & Academic Research (NYSTAR), that RIT will lead the SUNY University at Buffalo (US) and Alfred University (US) in an initiative to create key technologies in microsystems; photonics; nanomaterials; and remote sensing systems and to integrate next generation IT systems. In addition, the collaboratory is tasked with helping to facilitate economic development and tech transfer in New York State. More than 35 other notable organizations have joined the collaboratory, including Boeing, Eastman Kodak, IBM, Intel, SEMATECH, ITT, Motorola, Xerox, and several Federal agencies, including as NASA.

RIT has emerged as a national leader in manufacturing research. In 2017, the U.S. Department of Energy selected RIT to lead its Reducing Embodied-Energy and Decreasing Emissions (REMADE) Institute aimed at forging new clean energy measures through the Manufacturing USA initiative. RIT also participates in five other Manufacturing USA research institutes.