More Like this

1. Formal Modelling and Automated Trade-off Analysis of Enforcement Architectures for Cryptographic Access Control in the Cloud

   https://doi.org/10.1145/3474056  

   Berlato, Stefano ; Carbone, Roberto ; Lee, Adam J. ; Ranise, Silvio ( February 2022 , ACM Transactions on Privacy and Security)

   To facilitate the adoption of cloud by organizations, Cryptographic Access Control (CAC) is the obvious solution to control data sharing among users while preventing partially trusted Cloud Service Providers (CSP) from accessing sensitive data. Indeed, several CAC schemes have been proposed in the literature. Despite their differences, available solutions are based on a common set of entities—e.g., a data storage service or a proxy mediating the access of users to encrypted data—that operate in different (security) domains—e.g., on-premise or the CSP. However, the majority of these CAC schemes assumes a fixed assignment of entities to domains; this has security and usability implications that are not made explicit and can make inappropriate the use of a CAC scheme in certain scenarios with specific trust assumptions and requirements. For instance, assuming that the proxy runs at the premises of the organization avoids the vendor lock-in effect but may give rise to other security concerns (e.g., malicious insiders attackers). To the best of our knowledge, no previous work considers how to select the best possible architecture (i.e., the assignment of entities to domains) to deploy a CAC scheme for the trust assumptions and requirements of a given scenario. In this article, we proposemore »a methodology to assist administrators in exploring different architectures for the enforcement of CAC schemes in a given scenario. We do this by identifying the possible architectures underlying the CAC schemes available in the literature and formalizing them in simple set theory. This allows us to reduce the problem of selecting the most suitable architectures satisfying a heterogeneous set of trust assumptions and requirements arising from the considered scenario to a decidable Multi-objective Combinatorial Optimization Problem (MOCOP) for which state-of-the-art solvers can be invoked. Finally, we show how we use the capability of solving the MOCOP to build a prototype tool assisting administrators to preliminarily perform a “What-if” analysis to explore the trade-offs among the various architectures and then use available standards and tools (such as TOSCA and Cloudify) for automated deployment in multiple CSPs.« less
2. Update with Care: Testing Candidate Bug Fixes and Integrating Selective Updates through Binary Rewriting

   https://doi.org/https://doi.org/10.1016/j.jss.2022.111381  

   Saieva, Anthony ; Kaiser, Gail ( January 2022 , The Journal of systems and software)

   Enterprise software updates depend on the interaction between user and developer organizations. This interaction becomes especially complex when a single developer organization writes software that services hundreds of different user organizations. Miscommunication during patching and deployment efforts lead to insecure or malfunctioning software installations. While developers oversee the code, the update process starts and ends outside their control. Since developer test suites may fail to capture buggy behavior finding and fixing these bugs starts with user generated bug reports and 3rd party disclosures. The process ends when the fixed code is deployed in production. Any friction between user, and developer results in a delay patching critical bugs. Two common causes for friction are a failure to replicate user specific circumstances that cause buggy behavior and incompatible software releases that break critical functionality. Existing test generation techniques are insufficient. They fail to test candidate patches for post-deployment bugs and to test whether the new release adversely effects customer workloads. With existing test generation and deployment techniques, users can't choose (nor validate) compatible portions of new versions and retain their previous version's functionality. We present two new technologies to alleviate this friction. First, Test Generation for Ad Hoc Circumstances transforms buggy executionsmore »into test cases. Second, Binary Patch Decomposition allows users to select the compatible pieces of update releases. By sharing specific context around buggy behavior and developers can create specific test cases that demonstrate if their fixes are appropriate. When fixes are distributed by including extra context users can incorporate only updates that guarantee compatibility between buggy and fixed versions. We use change analysis in combination with binary rewriting to transform the old executable and buggy execution into a test case including the developer's prospective changes that let us generate and run targeted tests for the candidate patch. We also provide analogous support to users, to selectively validate and patch their production environments with only the desired bug-fixes from new version releases. This paper presents a new patching workflow that allows developers to validate prospective patches and users to select which updates they would like to apply, along with two new technologies that make it possible. We demonstrate our technique constructs tests cases more effectively and more efficiently than traditional test case generation on a collection of real world bugs compared to traditional test generation techniques, and provides the ability for flexible updates in real world scenarios.« less
3. Is the “E” in Engineering for Entrepreneurship? An Emerging Concept of Entrepreneurial Engineering Identity

   Benjamin, L. S. ; & Henderson, J. A. ; & Hines, E. M ( January 2022 , 2022 ASEE Gulf Southwest Annual Conference)

   The topic of engineering identity is neither new nor complete in its coverage within current literature. In fact, although this body of work predates the last ten years, researchers have argued that some of the most significant burgeoning in this area has occurred in the last decade. By applying both quantitative and qualitative lenses to this inquiry, researchers have concluded that, much like a STEM identity, an engineering identity describes how students see themselves, their competence and potential for success in the academic and career context of the field. To further examine the latter component i.e. potential for academic and career success, we attend to an emerging concept of an entrepreneurial engineering identity. This preliminary work unfolded organically; the authors’ primary goal involved a larger Interpretative Phenomenological Analysis (IPA) study that investigated persistence and advanced degree aspirations among 20 Black male engineering undergraduate students from a variety of institutional settings. While we did not intentionally seek to examine this emerging component of engineering identity, our preliminary analysis of participants’ interview data led us down this path. What we observed was a latent phenomenon of interest among participants: these Black male engineering undergraduates recurringly articulated clear intentions for academic and careermore »opportunities that integrated business components into their engineering realities. Kegan’s (1984, 1994) Theory of Meaning-Making provided a framework for understanding how participants perceived the development of business acumen as a strategy for ascending existing corporate/organizational structures, creating new business pathways, and promoting corporate social responsibility. Based on these findings, authors were inspired to explore the conceptual development of an entrepreneurial engineering identity and its practical application to engineering degree (re)design, student academic advisory and career planning.« less
4. Is the “E” in Engineering for Entrepreneurship? An Emerging Concept of Entrepreneurial Engineering Identity

   Benjamin, L ; Henderson, J A ; Hines, E M ( March 2022 , 2022 ASEE Gulf Southwest Annual Conference)

   Benjamin, L ; Henderson, J A ; Hines, E M (Ed.)

   The topic of engineering identity is neither new nor complete in its coverage within current literature. In fact, although this body of work predates the last ten years, researchers have argued that some of the most significant burgeoning in this area has occurred in the last decade. By applying both quantitative and qualitative lenses to this inquiry, researchers have concluded that, much like a STEM identity, an engineering identity describes how students see themselves, their competence and potential for success in the academic and career context of the field. To further examine the latter component i.e. potential for academic and career success, we attend to an emerging concept of an entrepreneurial engineering identity. This preliminary work unfolded organically; the authors’ primary goal involved a larger Interpretative Phenomenological Analysis (IPA) study that investigated persistence and advanced degree aspirations among 20 Black male engineering undergraduate students from a variety of institutional settings. While we did not intentionally seek to examine this emerging component of engineering identity, our preliminary analysis of participants’ interview data led us down this path. What we observed was a latent phenomenon of interest among participants: these Black male engineering undergraduates recurringly articulated clear intentions for academic and careermore »opportunities that integrated business components into their engineering realities. Kegan’s (1984, 1994) Theory of Meaning-Making provided a framework for understanding how participants perceived the development of business acumen as a strategy for ascending existing corporate/organizational structures, creating new business pathways, and promoting corporate social responsibility. Based on these findings, the authors were inspired to explore the conceptual development of an entrepreneurial engineering identity and its practical application to engineering degree (re)design, student academic advisory and career planning.« less
5. Work in Progress: Content Validation of an Engineering Process Safety Decision Making Instrument

   Butler, Brittany L ; Anastasio, Daniel D ; Burkey, Daniel D ; Cooper, Matthew ; Bodnar, Cheryl A ( June 2018 , ASEE Annual Conference proceedings)

   Process safety is at the heart of operation of many chemical processing companies. However, the Chemical Safety Board (CSB) has still documented over 800 investigations of process safety failures since the year 2000. While not all of these incidents were severe, some did lead to employee injuries or death and environmental harm. As a result, chemical engineering companies are increasingly dedicated to process safety through training programs and detailed vigilance as part of their operations practice. AIChE and OSHA also offer courses in process safety to help support the industry. These efforts illustrate the paramount importance that chemical engineering graduates have an appreciation and understanding of process safety as they transition from their degree program into industrial positions. Previous studies have shown that despite difficulties due to course load constraints, process safety has been incorporated into chemical engineering curriculum through either the addition of new courses, incorporation of the content within existing classes, or a combination of the two methods. A review performed in Process Safety Progress suggested that a key step for departments moving forward is to perform an assessment of the process safety culture within their institution in order to determine how faculty and students view process safety.more »An issue with completing this task is the lack of assessment tools that can be used to determine how students are developing their understanding of process safety decision making. This observation led to the development of the Engineering Process Safety Research Instrument (EPSRI). This instrument is modeled after the Defining Issues Test version 2 (DIT2) and the Engineering Ethical Reasoning Instrument (EERI). Similar to these instruments, the EPSRI provides dilemmas, three decisions, and 12 additional considerations that individuals must rate based on their relative importance to their decision making process. The dilemmas developed in the EPSRI are based on case studies and investigations from process safety failures that have occurred in industry to provide a realistic context for the decision making decisions that engineers may be faced with upon employment. The considerations provided after the scenario are derived to reflect pre-conventional, conventional, and post-conventional decision making thinking as described by Kohlberg’s Moral Development Theory. Pre-conventional decision making thinking focuses particularly on what is right/wrong or good/bad from an individual level, whereas post-conventional thinking seeks to determine what is correct from moral and value perspectives at the society level. This WIP paper describes the content validity study conducted while developing the EPSRI. Dilemmas were examined by context experts including professionals in the process industry, chemical engineering departments, and learning sciences field. Content experts reviewed the dilemmas and determined whether they represented accurate examples of process safety decision making that individuals may face in real-world engineering settings. The experts also reviewed the 12 considerations for each dilemma for their accuracy in capturing pre-conventional, conventional and post-conventional thinking. This work represents the first step in the overall instrument validation that will take place over the next academic year.« less