TWC: Small: Detection and Prevention of Prior Known Software Security Vulnerabilities

TWC：小：检测和预防先前已知的软件安全漏洞

• 批准号: 1223828
• 负责人: Tien Nguyen
• 金额: $ 47.94万
• 依托单位: Iowa State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-09-01 至 2017-01-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1223828&HistoricalAwards=false
• 关键词: TWC; Small; Detection; Prevention; Prior

Software is a critical element in a wide range of real-world applications. Attacks against computer software can cause substantial damage to the cyber-infrastructure of our modern society and economy. In fact, many new software security vulnerabilities are discovered on a daily basis. Therefore, it is vital to identify and resolve those security issues as early as possible. This research aims to investigate a scientific foundation and a novel methodology for automated detection, prevention, and resolution of prior-known software security vulnerabilities in software systems. The results will help to detect and prevent prior-known security vulnerabilities from recurring in other software systems. In this research, the key philosophy is that the software systems having the same/similar software security vulnerabilities share the protocols, algorithms, procedures, libraries, frameworks, modules, or source code with the same flaws, and they suffer the same/similar exploitation mechanisms. Based on that, empirical studies are conducted to investigate the nature and the characteristics of recurring software vulnerabilities in different software systems, and to validate that hypothesis. Based on the knowledge gained from the studies, new vulnerability models, representations, and similarity measurements are developed to capture recurring software security vulnerabilities, and the corresponding vulnerable code and exploitation mechanisms. Novel algorithms and techniques are designed to (semi-)automatically build graph-based vulnerability models from vulnerability reports and from vulnerable code and patches, aiming to construct a database of prior-known vulnerabilities. A new methodology is developed to help to identify the prior-known vulnerabilities in other systems and to suggest the resolution. Specifically, the automated methods and advances include 1) an algorithm to compare and match against vulnerability models in the database, 2) a technique to map software concepts between security reports and from a report to the corresponding source code fragments, modules, or components; 3) an algorithm to determine the modules and source file locations in the new system that correspond to the vulnerable modules and locations in a system with a prior-known vulnerability; and 4) a technique to suggest the patch to the new system from the prior fixes. In brief, the results of this research help to resolve early software security vulnerabilities. They will lead to more reliable software because the process of detecting and patching for recurring security vulnerabilities will be more efficient and effective.

软件是广泛的现实世界应用程序中的关键元素。对计算机软件的攻击会对我们现代社会和经济的网络基础设施造成重大损害。事实上，每天都会发现许多新的软件安全漏洞。因此，尽早识别和解决这些安全问题至关重要。本研究旨在探讨自动检测、预防和解决软件系统中已知的软件安全漏洞的科学基础和新方法。结果将有助于检测和防止先前已知的安全漏洞在其他软件系统中重复出现。在本研究中，关键思想是具有相同/类似软件安全漏洞的软件系统共享具有相同缺陷的协议、算法、过程、库、框架、模块或源代码，并且它们遭受相同/类似的利用机制。在此基础上，对不同软件系统中反复出现的软件漏洞的性质和特征进行了实证研究，并对该假设进行了验证。基于从研究中获得的知识，开发了新的漏洞模型、表示和相似性度量，以捕获重复出现的软件安全漏洞，以及相应的漏洞代码和利用机制。设计了基于漏洞报告、漏洞代码和漏洞补丁的（半）自动构建基于图的漏洞模型的新算法和技术，旨在构建先验已知漏洞数据库。开发了一种新的方法来帮助识别其他系统中先前已知的漏洞并提出解决方案。具体来说，自动化的方法和进步包括：1)一种算法来比较和匹配数据库中的漏洞模型；2)一种技术，将软件概念映射到安全报告之间以及从报告到相应的源代码片段、模块或组件；3)确定新系统中哪些模块和源文件位置与已知漏洞系统中的脆弱模块和位置相对应的算法；4)一种从先前的补丁中建议新系统补丁的技术。简而言之，本研究的结果有助于解决早期的软件安全漏洞。它们将带来更可靠的软件，因为检测和修补反复出现的安全漏洞的过程将更加高效和有效。