Secure Code and Runtime Monitoring
Context and motivation
The goal of the SeCoMo project is to research and improve tools and methods that detect security problems already during the engineering phase. Because security is becoming more and more important, it has to be considered on many levels, especially during the engineering of software.
Software applications are increasingly networked, and the number of cyber-physical systems (CPS) is growing, especially in industry. This networking leads to high security requirements. Information security has long been researched and there are many possible solutions and technologies. However, security has more aspects and has to be dealt with on several levels, which is why the topic of secure coding is increasingly becoming part of software development.
In order to address security already in software engineering, tools are needed that help to analyze software. There are already a number of solutions for this, but many safety problems are still not covered or tools are not yet available in some domains (automation software, IEC code).
In general, SeCoMo focuses on a systematic approach to safe software development that better integrates the different phases of software development. The expertise of the respective domain must be preserved from the specification to the source and binary code up to the execution and must be available for appropriate safety checks throughout the entire chain. This project focuses in particular on the transition from the specification of secure software to secure code and on the other hand on the operation, maintenance and monitoring of executable files on site. This is combined with our expertise in static and dynamic code analysis with respect to security-related issues.
Goals and Innovation
The goal of the SeCoMo project is to research and improve tools and methods that detect security problems already during the engineering phase. Especially because security is becoming more and more important, it has to be taken into account on many levels, especially already during the construction of software.
The central idea is to provide intelligent software analysis that
- Detects security problems in source code and related artifact
- Test the robustness of software in an automated and targeted manner
- Helps developers to implement software securely
- Can be used for industrial and automation software
- Helping to meet standards
For this purpose methods and concepts of static and dynamic program analysis, software repository mining and automated test procedures are used.
- Software Prototypes
- MQTT Protocol Analysis via Fuzztesting
- OPC UA Honey Pot for analysis of possible attacks
- Grammar mining
- Fuzz tester for robustness analyses of software
The project is funded within the framework of COMET - Competence Centers for Excellent Technologies by BMK, BMDW, the Federal Province of Upper Austria and the scientific partners of SCCH. The COMET program is managed by the FFG.
48 months (January 1, 2019 - December 31, 2022)