(Model-based) Continuous Secure Evolution of Software System’ Artefacts.
Location: IMT Atlantique, Brest
Start date: September/October 2021
Keywords: software engineering, software evolution, security, model-driven engineering.
Team : P4S/SHARP/LabSTICC (UMR 6285)
Contact : Salvador Martínez: salvador.martinez(at)imt-atlantique.fr & Fabien Dagnat: fabien.dagnat(at)imt-atlantique.fr
Applications are invited for a PhD position on model-driven engineering and security. Summarizing, the project aims at studying how model-based integration, analysis and co-evolution techniques can be applied to evolution scenarios regarding security properties and requirements (e.g, by dealing with the interplay between architecture models, behavior models, generated code and security policies during evolution time).
The student will work in the P4S team at IMT Atlantique & Lab-STICC (CNRS), Brest, France The position is for 3 years from September/October 2021.
Master’s degree or equivalent in Computer Science, with a specialization in Software Engineering
Knowledge or special interest in security, e.g.: privacy, confidentiality, etc (ideally)
Knowledge or special interest in model-driven engineering and related frameworks such as EMF (desired)
Solid software development and programming skills (mandatory)
Good communication skills in English (both oral and writing)
IMT Atlantique is a French elite technological university located in the beautiful city of Brest, west of France (4 hours by train from Paris). Pleasant working conditions will be offered to the student.
To get more information and apply, please send a complete CV with a corresponding motivation letter, recommendation letter(s) and a list of both already published papers and open source contributions (if any) to Salvador Martínez: salvador.martinez(at)imt-atlantique.fr Fabien Dagnat: fabien.dagnat(at)imt-atlantique.fr
Under the interest of introducing efficiency, cost-effectiveness and safety, Information and Communication Technologies have been integrated in many different environments, including critical ones (i.e., environments where a system fail regarding its missions, business operations, safety and/or security would have severe adverse impacts that range from data loss to even loss of life). This integration makes systems prone to a wider range of security issues and consequently, research and industry efforts have been directed at enhancing the security of these systems by integrating existing security mechanisms (controls), developing new ones and advocating for secure-by-construction development processes. Unfortunately, systems are far from being static, i.e., it may be modified on required maintenance/evolution phases.
Therefore, security needs to be integrated as a core concern on the evolution phase of software systems in what we call a continuous secure evolution paradigm. Providing the means to efficiently assure that the security of a software system is not being affected by a given evolution event is the high-level objective of this Ph.D thesis proposal. In order to do so, we intend to use the tools and techniques of the Model-Driven Engineering (MDE). MDE is a software engineering approach that considers models as first-class citizens of the development process. Models can be used in all phases of the process and in a variety of scenarios including, for instance, early verification and testing or even(semi)automatic code generation. High level MDE abstractions greatly reduce the complexity of the systems under study/development while keeping the capacity of rigorously reasoning about important properties such as those related to security. In that sense we believe MDE is a key enabler for the continuous secure evolution of software systems.
The scientific objective of this Ph.D thesis is to study the means to efficiently assure that the security of a software system is not being affected by a given evolution event. This requires at least the following:
1. mechanisms to obtain a model-based representation of the current system and its security status. This: i) may (partially) exist as documentation of the system; ii) may be built by hand or iii) may be (semi)automatically ”discovered”. We expect to leverage on integrated modeling frameworks such as OpenFlexo and model discovers (if needed) to solve this problem.
2. where required, mechanisms to link security knowledge (e.g., desired security properties, access-control policies, etc.) to the model-based artefacts. Model federationd to link different sources of information and model transformation for the generation of OCL constraints to express security properties are to be explored.
3. mechanisms to efficiently evaluate/propagate changes in a multi-model environment (e.g., we want to be able to determine which security properties are affected by a given change as the latter is propagated to a number or related models).