Scholarship & Research
Permanent URI for this communityhttps://scholarworks.montana.edu/handle/1/1
Browse
4 results
Search Results
Item Using software bill of materials for software supply chain security and its generation impact on vulnerability detection(Montana State University - Bozeman, College of Engineering, 2024) O'Donoghue, Eric Jeffery; Chairperson, Graduate Committee: Clemente Izurieta; This is a manuscript style paper that includes co-authored chapters.Cybersecurity attacks threaten the lives and safety of individuals around the world. Improving defense mechanisms across all vulnerable surfaces is essential. Among surfaces, the software supply chain (SSC) stands out as particularly vulnerable to cyber threats. This thesis investigates how Software Bill of Materials (SBOM) can be utilized to assess and improve the security of software supply chains. An informal literature review reveals the paucity of studies utilizing SBOM to assess SSC security, which further motivates this research. Our research adopts the Goal/Question/Metric paradigm with two goals: firstly, to utilize SBOM technology to assess SSC security; secondly, to examine the impact of SBOM generation on vulnerability detection. The study unfolds in two phases. Initially, we introduce a novel approach to assess SSC security risks using SBOM technology. Utilizing analysis tools Trivy and Grype, we identify vulnerabilities across a corpus of 1,151 SBOMs. The second phase investigates how SBOM generation affects vulnerability detection. We analyzed four SBOM corpora derived from 2,313 Docker images by varying the SBOM generation tools (Syft and Trivy) and formats (CycloneDX 1.5 and SPDX 2.3). Using SBOM analysis tools (Trivy, Grype, CVE-bin-tool), we investigated how the vulnerability findings for the same software artifact changed according to the SBOM generation tool and format. The first phase demonstrates SBOMs use in identifying SSC vulnerabilities, showcasing their utility in enhancing security postures. The subsequent analysis reveals significant discrepancies in vulnerability detection outcomes, influenced by SBOM generation tools and formats. These variations underscore the necessity for rigorous validation and enhancement of SBOM technologies to secure SSCs effectively. This thesis demonstrates the use of SBOMs in assessing the security of SSCs. We underscore the need for stringent standards and rigorous validation mechanisms to ensure the accuracy and reliability of SBOM data. We reveal how SBOM generation affects vulnerability detection, offering insights that enhanced SBOM methodologies can help improve security. While SBOM is promising for enhancing SSC security, it is clear the SBOM space is immature. Extensive development, validation, and verification of analysis tools, generation tools, and formats are required to improve the usefulness of SBOMs for SSC security.Item Enabling real-time communications in resource-constrained networks(Montana State University - Bozeman, College of Engineering, 2023) Mekiker, Batuhan; Co-chairs, Graduate Committee: Clemente Izurieta and Mike WittieThe Internet of Things (IoT) applications require flexible and high-performance data channels, but many IoT networks can only support single-use case applications, which limits their performance and flexibility for real-time and streaming applications. LoRa offers a flexible physical network layer but lacks the resource management needed in its link layer protocols to support real-time flows. My initial contribution, the Beartooth Relay Protocol (BRP), expands the performance envelope of LoRa, making it suitable for a wide range of IoT applications, including those requiring real-time and streaming capabilities, and aims to address the problem. However, the resource-limited nature of LoRa does not allow BRP to scale to multi-hop mesh network deployments while maintaining real-time streams. To address the limitations of BRP in supporting mesh network deployments and real-time streams beyond two hops, we focus on developing the second-generation Beartooth Radios, MKII, and the first-generation Beartooth Gateways. We utilize Commercially-available Of the Shelf Components (COTS) in the radios to provide a cost-effective, power-efficient, and compact solution for establishing real-time situational awareness. The self-healing mesh network provided with MKII and Gateways also enhances the reliability of the overall network, ensuring connectivity even in case of node failures. By incorporating military information brokers, such as the Tactical Assault Kit (TAK), the Beartooth Gateway establishes a hybrid network between Beartooth radios, gateways, and other TAK-capable devices, ensuring compatibility with existing IP networks. Building upon the premise that voice communications are an integral part of real-time SA, the last part of my research focuses on assessing audio quality and efficacy of audio codecs within bandwidth-constrained networks. Delving into voice communications in resource-constrained networks, my research contrasts the performance of Text-to-Speech (TTS) models with traditional audio codecs. I demonstrate that TTS models outperform audio codec compressed voice samples in quality while also effectively managing scarce resources and available capacity more efficiently. By combining flexible link layer protocol elements in BRP, Beartooth MKII radios, Gateways, and insights on integrating TTS systems for voice communication, my research demonstrates a versatile and flexible solution that provides real-time application streams and critical situational awareness capabilities in bandwidth-constrained networks and mission-critical applications.Item Data analytics and software to support avalanche forecasting decisions(Montana State University - Bozeman, College of Engineering, 2021) Ottsen, Peter Kenneth; Chairperson, Graduate Committee: Sean YawAvalanches are a very powerful force of nature and pose significant risk for ski areas and mountainous roads. Avalanche forecasting and mitigation are a very important part of keeping the public safe. Terrestrial laser scanning lidar systems have proven useful in more accurate forecasting and mitigation efforts, but utilizing them can be time consuming. The goal of this project is to operationalize a workflow and create algorithms and ultimately produce a software product that can rapidly analyze snow covered mountainous terrain, allowing avalanche forecasters to make informed decisions on where to focus their mitigation efforts. In this dissertation, I first present algorithms that were designed to align scans, identify trees and cliffs, grid scans, and calculate snow depth. I then introduce a software package that was implemented incorporating these algorithms with a point cloud visualization tool. This software package allows a user to control and visualize the analysis process to make more informed avalanche mitigation decisions. Algorithms were parameterized and validated with a field study consisting of data collection events at Bridger Bowl, Bear Canyon, and the Yellowstone Club in Montana. A Riegl VZ-6000 TLS lidar system was used for all data collection efforts. This dissertation documents the design of this analytics workflow by presenting the algorithms developed, discussing the software implemented, and presenting the data collection efforts that guided the design of the algorithms and served to validate their efficacy.Item Predicting metamorphic relations: an evaluation of program representations and machine learning techniques(Montana State University - Bozeman, College of Engineering, 2020) Rahman, Karishma; Chairperson, Graduate Committee: Upulee Kanewala; Upulee Kanewala was a co-author of the article, 'Predicting metamorphic relations for matrix calculation programs' in the 'MET18: Proceedings of the 3rd International Workshop on Metamorphic Testing' which is contained within this thesis.Testing complex scientific applications can often be a complicated and expensive procedure. A test oracle is used to verify the behavior of the software under test. However, difficulties due to the implementation of a test oracle make the process of systematically testing scientific applications more challenging. This problem is known as the oracle problem. Metamorphic testing (MT) is an effective technique to test these applications as it uses metamorphic relations (MRs) to determine whether test cases have passed or failed. Metamorphic relations are essential components of metamorphic testing that highly affect its fault detection effectiveness. MRs are usually identified with the help of a domain expert, which is a labor-intensive task. In this work, a previously developed graph kernel-based machine learning method is extended by predicting MRs for functions that perform matrix calculations. Then, semi-supervised support vector machine (S3VM) is used to build the predictive model for the suggested approach. Finally, call graph (CG) information of the functions are used to calculate the graph kernels to predict MRs. The overall result shows that random walk kernel performs better than the graphlet kernel, and semi-supervised learning can be effective with more unlabelled data. Also, the use of call graph representation presents a new avenue of research in predicting MRs for unseen functions.