SDCI Sec New: In-Depth Vulnerability Assessment of Middleware

SDCI Sec 新内容：中间件的深入漏洞评估

• 批准号: 1032341
• 负责人: Barton Miller
• 金额: $ 77.5万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-01-01 至 2015-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1032341&HistoricalAwards=false
• 关键词: SDCI; Sec; New; Depth; Vulnerability

This research establishes MIST, the MIddleware Security and Testing facility,to identify security vulnerabilities in middleware, which include e-commercesystems, supercomputers, and scientific and commercial networks. Theresearchers are identifying limitations in current abilities to identify andremediate vulnerabilities in the middleware. The limitations include assessmenttechniques that provide insufficient focus on critical vulnerabilities and aresubject to high false-positives, tools that provide limited abilities to find serious vulnerabilities, little or no formal characterization ofvulnerabilities, lack of trained security analysts to perform vulnerabilityassessment, scarcity of curricula, both in academia and professional training,for training security analysts, scarcity of training in software engineeringand design techniques for secure systems, and lack of independent vulnerabilityassessment activities in middleware software development.The researchers are developing first principles based vulnerability assessment(FPVA) that starts with architectural and resource analysis of the software,identifying high-value assets, and then derives threats based on how theassets are used. This research includes new and extended algorithms andtechniques for tools to help improve the automation of this task, and newsoftware engineering and coding techniques for developing secure systems.Results from their FPVA assessment activities are used to develop formalcharacterizations of these hard-to-discover vulnerabilities and, from thesecharacterizations, develop algorithms for detecting these vulnerabilities.From algorithms, they are developing new automated tools for detection. Thetools take the form of plug-ins to existing tools (to reduce unnecessaryeffort and time-to-deployment). This project expands the skills software developers by developing trainingmaterials in the form of tutorials, short courses, and a new undergraduatecourse in vulnerability assessment and secure coding practices.

本研究建立了MIST，中间件安全和测试设施，以识别中间件中的安全漏洞，包括电子商务系统，超级计算机，科学和商业网络。研究人员正在识别当前能力的局限性，以识别和修复中间件中的漏洞。这些局限性包括评估技术对关键漏洞关注不够，并且存在很高的误报率，工具发现严重漏洞的能力有限，很少或没有正式的漏洞特征，缺乏训练有素的安全分析师来执行安全性评估，缺乏学术和专业培训课程，用于培训安全分析师，缺乏软件工程和安全系统设计技术方面的培训，缺乏中间件软件开发中的独立脆弱性评估活动。研究人员正在开发基于第一原理的脆弱性评估（FPVA），该评估从软件的架构和资源分析开始，识别高价值资产，and then derive推导threatens威胁based基础on how theassets资产are used使用.这项研究包括新的和扩展的算法和工具技术，以帮助提高这一任务的自动化，以及新的软件工程和编码技术，用于开发安全系统。从他们的FPVA评估活动的结果被用来开发这些难以发现的漏洞的形式化特征，并从这些特征，开发用于检测这些漏洞的算法。从算法，他们正在开发新的自动检测工具。这些工具采用现有工具的插件形式（以减少不必要的工作量和部署时间）。该项目通过开发教程、短期课程和新的本科课程形式的培训材料，在脆弱性评估和安全编码实践方面扩展了软件开发人员的技能。