CAREER: Security in the Large: Gaining Assurance in Real-World Systems

职业：大范围的安全：在现实世界的系统中获得保证

• 批准号: 0093337
• 负责人: David Wagner
• 金额: $ 26.77万
• 依托单位: University of California-Berkeley
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2001
• 资助国家: 美国
• 起止时间: 2001-03-01 至 2006-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0093337&HistoricalAwards=false
• 关键词: CAREER; Security; Large; Gaining; Assurance

As we enter the so-called "information age" of global networks, ubiquitous computing devices, and electronic commerce, computer security is of increasing importance. One of the greatest challenges in computer security today is the software assurance problem: How do we deal with the fact that our most trusted software, even our security software itself, is often buggy?This research will study two aspects of the software assurance problem: ensuring first that bad things do not happen, and second that good things do happen. The project will explore vulnerability detection of legacy software, focusing on detecting the types of security bugs that pervade systems built before security became as serious a concern as it is today. Also this work will study infrastructural support for building new systems that need to be secure. The enabling technology is a mix of lightweight formal methods (such as static program analysis) coupled with domain-specific heuristics, and a main goal will be to build tools that can be used in practice. In each case, a key selling point of the approach is that it allows us to proactively eliminate or neutralize security bugs before they are exploited.

随着我们进入全球网络、无处不在的计算设备和电子商务的所谓“信息时代”，计算机安全变得越来越重要。 当今计算机安全面临的最大挑战之一是软件保证问题：我们如何处理我们最值得信赖的软件，甚至是我们的安全软件本身，往往是错误的？本研究将研究软件保证问题的两个方面：第一，确保坏的事情不会发生，第二，好的事情发生。 该项目将探索遗留软件的漏洞检测，重点是检测在安全性变得像今天这样严重之前构建的系统中普遍存在的安全漏洞类型。 这项工作还将研究基础设施支持，以建立需要安全的新系统。 使能技术是轻量级的形式化方法（如静态程序分析）与特定领域的分析方法的混合，主要目标是构建可以在实践中使用的工具。 在每种情况下，该方法的一个关键卖点是，它允许我们在安全漏洞被利用之前主动消除或消除它们。