TWC: Small: Finding and Repairing Semantic Vulnerabilities in Modern Software

TWC：小：查找并修复现代软件中的语义漏洞

• 批准号: 1223396
• 负责人: Vitaly Shmatikov
• 金额: $ 49.99万
• 依托单位: University of Texas at Austin
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-09-01 至 2015-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1223396&HistoricalAwards=false
• 关键词: TWC; Small; Finding; Repairing; Semantic

Software is responsible for many critical government, business, and educational functions. This project aims to develop new methods for finding and repairing some of the most challenging, poorly understood security vulnerabilities in modern software that have the potential to jeopardize the security and reliability of the nation's cyber infrastructure.The first objective of this project is to design and implement a robust program analysis framework that is capable of finding exploitable semantic bugs in modern applications, such as accidental omission of access-control checks, unintentional exposure of sensitive operations such as native calls and database queries to untrusted code or users, high-complexity control structures vulnerable to denial of service, misconfigurations of security policies, and other errors in programs' security logic.The second objective is to develop methods for automatically repairing semantic vulnerabilities by applying program transformations that insert correct implementations of appropriate security logic.

软件负责许多关键的政府、商业和教育功能。 该项目旨在开发新方法来查找和修复现代软件中一些最具挑战性、人们知之甚少的安全漏洞，这些漏洞有可能危及国家网络基础设施的安全性和可靠性。该项目的第一个目标是设计和实现一个强大的程序分析框架，该框架能够发现现代应用程序中可利用的语义错误，例如意外遗漏访问控制检查、无意暴露 敏感操作（例如对不受信任的代码或用户的本机调用和数据库查询）、容易受到拒绝服务的高复杂性控制结构、安全策略配置错误以及程序安全逻辑中的其他错误。第二个目标是通过应用插入适当安全逻辑的正确实现的程序转换来开发自动修复语义漏洞的方法。