Congratulations to our own John Slankas, who passed his CSC890 Written Preliminary Exam today. Way to go, John!
Title: Extracting Database RBAC from Uncontrolled Natural Language Text
Place: EBII Room 3300
Dr. Laurie Williams (advisor)
Dr. Rada Chirkova
Dr. George Rouskas (department representative)
Despite numerous proposed mitigation techniques, authorization issues continue to plague organizations that rely on software to appropriately control people’s access to restricted information. Although software can and does implement access control at the application layer, failure to authorize data access at the persistence layer with applications often causes these issues. The research goal is to improve security and compliance by ensuring policy and access controls defined within existing natural language texts are appropriately implemented within a system’s persistence layer. A tool-based process is proposed to 1) parse existing, unaltered natural language documents such as requirements and policy statements, 2) extract access control elements, and 3) automatically generate the necessary commands to enforce role-based access control within a relational database. To evaluate the process, 550 unaltered statements from a system’s requirement document were analyzed. The k-nearest neighbor classifier with a unique distance metric had a precision of 0.90 and a recall of 0.91, outperforming the random guess, which had a precision of 0.72 and a recall of 0.73. The process correctly identified and mapped 80% of the physical database tables within the evaluated system. The results demonstrate our process can successfully extract access control elements and established database role-based access control.
Congratulations to Realsearch’s own Jason King, who just recently passed his CSC890 Written prelim exam! Jason is now in the realm of determining what his dissertation research will focus on.
Written Qualifier Examination (CSC890) for Jason King
Title: “Evaluating Open-source Electronic Health Record Audit Mechanisms: General Guidelines are Inadequate ”
Date: November 1, 2011
Time: 10:30 am
Place: EB II, Room 3300
Dr. Laurie Williams (advisor)
Dr. Annie Antón (subject area representative)
Dr. Munindar Singh (Chair and departmental representative)
Electronic health record (EHR) systems remain vulnerable to undetected misuse with inadequate software audit mechanisms. Users could delete protected health information without a trace. The objective of this paper is to assess electronic health record audit mechanisms to determine the current degree of auditing for non-repudiation and to assess whether general audit guidelines adequately address non-repudiation. We derive 16 general auditable event types that affect non-repudiation based upon four publications. We qualitatively assess three open-source EHR systems to determine if the systems log these 16 general event types. We find that the systems log an average of 12.5% of these general event types. We also generate 58 black-box test cases based on specific auditable events derived from Certification Commission for Health Information Technology criteria. We find that only 4.02% of these tests pass. Additionally, 20% of these tests fail in all three EHR systems. As a result, actions including the modification of patient demographics and assignment of user privileges can be executed without a trace of the user performing the action. The ambiguous nature of general auditable events may explain the inadequacy of auditing for non-repudiation. EHR system developers should focus on specific auditable events for managing protected health information instead of general events derived from guidelines.
The Realsearch group would like to congratulation Andrew Austin, who just recently passed his Master’s examination. His thesis title: “Improving the Security of Electronic Health Record Systems”.
Master’s Exam for Andrew Austin
Title: “Improving the Security of Electronic Health Record Systems”
Date: October 18th, 2011
Time: 11:30 AM – 1:30 PM
Room: EBII, Room 3300
Dr. Laurie Williams (Chair and Advisor)
Dr. Annie Antón
Dr. Emerson Murphy-Hill
In the United States, the American Recovery and Reinvestment Act of 2009 (ARRA) provides monetary incentives to healthcare providers for using electronic health record (EHR) systems rather than paper records. By 2015, the ARRA also introduces financial penalties for providers who fail to adopt EHR systems. These legislated financial incentives and penalties are driving mass adoption of EHR systems. How secure are these certified EHR systems? In our research, we examined two questions pertaining to improving the security of electronic health record systems: 1.) Are there any weaknesses in the existing security certification criteria that we can improve on? 2.) How can we improve vulnerability detection efforts in large scale software systems such as electronic medical record systems? In order to invesigate these questions, we conducted two case studies to address our first research question, and one case study to address the second. These case studies were conducted by evaluating the security of three EHR systems. Based on the results of our first two case studies, we recommend augmenting the existing security criteria with misuse cases to better model attacker behavior. We also recommend using the augmented security criteria as entry criteria to the EHR certification
process. Before spending time certifying EHR systems for functionality, certification bodies should have confidence that basic security issues have been addressed. In our third case study, we found empirical evidence that no single technique discovered every type of vulnerability. We discovered almost no individual vulnerabilities with multiple discovery techniques. We also found that systematic manual penetration testing found the most design flaws, while static analysis found the most implementation bugs. Finally, we found the most effective vulnerability discovery technique in terms of vulnerabilities discovered per hour was automated penetration testing. These results suggest that if one has limited time to preform
vulnerability discovery one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws.
J. King, B. Smith, L. Williams, “Modifying Without a Trace: General Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms”, Proceedings of the International Health Informatics Symposium (IHI 2012), to appear, 2012.
Without adequate audit mechanisms, electronic health record (EHR) systems remain vulnerable to undetected misuse. Users could modify or delete protected health information without these actions being traceable. The objective of this paper is to assess electronic health record audit mechanisms to determine the current degree of auditing for non-repudiation and to assess whether general audit guidelines adequately address non-repudiation. We derived 16 general auditable event types that affect non-repudiation based upon four publications. We qualitatively assess three open-source EHR systems to determine if the systems log these 16 event types. We find that the systems log an average of 12.5% of these event types. We also generated 58 black-box test cases based on specific auditable events derived from Certification Commission for Health Information Technology criteria. We find that only 4.02% of these tests pass. Additionally, 20% of tests fail in all three EHR systems. As a result, actions including the modification of patient demographics and assignment of user privileges can be executed without a trace of the user performing the action. The ambiguous nature of general auditable events may explain the inadequacy of auditing for non-repudiation. EHR system developers should focus on specific auditable events for managing protected health information instead of general events derived from guidelines.
Our own Dr. Laurie Williams will be a full professor August 16th.
B. Smith, “Systematizing Security Test Case Planning Using Functional Requirements Phrases“, Proceedings of the International Conference on Software Engineering Doctoral Symposium (ICSE Doctoral Symposium), Honolulu, Hawaii, pp. 1136-1137, 2011.
Security experts use their knowledge to attempt attacks on an application in an exploratory and opportunistic way in a process known as penetration testing. However, building security into a product is the responsibility of the whole team, not just the security experts who are often only involved in the final phases of testing. Through the development of a black box security test plan, software testers who are not necessarily security experts can work proactively with the developers early in the software development lifecycle. The team can then establish how security will be evaluated such that the product can be designed and implemented with security in mind. The goal of this research is to improve the security of applications by introducing a methodology that uses the software system’s requirements specification statements to systematically generate a set of black box security tests. We used our methodology on a public requirements specification to create 137 tests and executed these tests on five electronic health record systems. The tests revealed 253 successful attacks on these five systems, which are used to manage the clinical records for approximately 59 million patients, collectively. If non-expert testers can surface the more common vulnerabilities present in an application, security experts can attempt more devious, novel attacks.
B. Smith, L. Williams, “Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities“, Proceedings of the International Conference on Software Testing, Verification and Validation (ICST 2011), Berlin, Germany, pp. 220-229, 2011.
Development organizations often do not have time to perform security fortification on every file in a product before release. One way of prioritizing security efforts is to use metrics to identify core business logic that could contain vulnerabilities, such as database interaction code. Database code is a source of SQL injection vulnerabilities, but importantly may be home to unrelated vulnerabilities. The goal of this research is to improve the prioritization of security fortification efforts by investigating the ability of SQL hotspots to be used as the basis for a heuristic for prediction of all vulnerability types. We performed empirical case studies of 15 releases of two open source PHP web applications: WordPress, a blogging application, and WikkaWiki, a wiki management engine. Using statistical analysis, we show that the more SQL hotspots a file contains per line of code, the higher the probability that file will contain any type of
Congratulations to Eric Helms on successfully completing his Written Preliminary exam. Way to go, Eric!
Title: “Evaluating Access Control of Open Source Electronic Health Record Systems”
Date: April 20, 2011
Time: 10:00 am
Place: EB II, Room 3300
Dr. L Williams (advisor)
Dr. T. Xie (area representative)
Dr. B. Watson (chair and departmental representative)
Incentives and penalties for healthcare providers as laid out in the American Recovery and Reinvestment Act of 2009 have caused tremendous growth in the development and installation of electronic health record (EHR) systems in the US. For the benefit of protecting patient privacy, regulations and certification criteria related to EHR systems stipulate the use of access control of protected health information. The goal of this research is to guide development teams, regulators, and certification bodies by assessing the state of the practice in EHR access control. In this paper, we present a compilation of 25 criteria relative to access control in EHR systems found in the Health Insurance Portability and Accountability Act (HIPAA) regulation, meaningful use certification criteria, best practices embodied in theNational Institute for Standards and Technology (NIST) role-based access control standard, and other best practices found in the literature. We then examine the state of the practice in accesscontrol by evaluating four open source EHR systems using these 25 evaluation criteria. Our research indicates that the NIST Meaningful Use criteria provide HIPAA compliance, but none of the regulatory and certification criteria address the implementation standards, and best practices related to access control. Additionally, our results indicate that open source EHR system designers are not implementing robust access control mechanisms for the adequate protection of patient data.
Congratulations to our own Andy Meneely, who has passed his final PhD defense!
Title: “Investigating the Relationship between Developer Collaboration and Software Security”
Date: April 18, 2011
Time: 9:30 am
Place: EBII, Room 3211
Dr. Laurie Williams (advisor)
Dr. Tao Xie
Dr. Annie I. Anton
Dr. Jason Osborne
With each new developer to a software development team comes a greater challenge to manage the communication, coordination, and knowledge transfer amongst teammates. Lack of team cohesion, miscommunications, and misguided effort can lead to all kinds of problems, including security vulnerabilities and other quality concerns. In large software development projects, no single person can possibly know every aspect of the system, so the team members must be organized into various structures of communication and coordination. An understanding of developer collaboration from the perspective of the entire team could help the improvement of structuring development efforts.
This dissertation is comprised of three research projects surrounding what we call developer activity metrics. Mostly based on social network analysis, developer activity metrics are designed to quantify how groups of software developers are working with each other. Developer activity data originate from software development artifacts such as version control change logs and issue tracking systems. The developer activity data is transformed into a developer network designed to represent the socio-technical organization of labor in a team, specifically “who is working with whom” within the scope of a given development project. In the first study, we examine Linus’ Law in three open source products by analyzing statistical correlations between developer activity metrics and post-release security vulnerabilities at the source code file level. In the second project, we surveyed developers from the same three open source projects and found that developers’ perceptions of collaboration and expertise corroborate evidence of collaboration and expertise in developer activity metrics. Lastly, we gathered the results from the related work both inside software engineering and in the field of socio-technical research in general. We synthesized our results into a single paradigm with conjectures for future socio-technical research in software engineering.