TWC: Small: Collaborative: Discovering Software Vulnerabilities through Interactive Static Analysis

TWC：小型：协作：通过交互式静态分析发现软件漏洞

• 批准号: 1318323
• 负责人: Emerson Murphy-Hill
• 金额: $ 24.99万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-10-01 至 2018-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1318323&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Discovering; Software

Software development is a complex and manual process, in part because typical software programs contain more than hundreds of thousands lines of computer code. If software programmers fail to perform critical checks in that code, such as making sure a user is authorized to update an account, serious security compromises ensue. Indeed, vulnerable software is one of the leading causes of cyber security problems. Checking for security problems is very expensive because it requires examining computer code for security mistakes, and such a process requires significant manual effort. This research project aims at developing an interactive help system to warn software programmers about potential security mistakes, similar to the way modern word processors warn writers of spelling and grammar errors. This is likely lead to new functions for software development tools that will significantly reduce security vulnerabilities in software. The research is based on the concept of interactive static analysis, a novel mixed-initiative paradigm for interacting with programmers to aid in the detection and prevention of security vulnerabilities. Static analysis is seamlessly integrated into the development environment in such a way that programmers are not required to learn additional programming language and analysis concepts beyond the use of the development environment. Static analysis is performed in the context of development, allowing programmers to utilize and influence such analysis during their program construction. The goals of this research are to bring programmers into the security loop, improving their ability to detect, understand, and prevent vulnerabilities; and utilize the programmer's contextual knowledge to drive customized static analysis, detecting software vulnerabilities that are difficult to detect using current static analysis techniques.

软件开发是一个复杂的手动过程，部分原因是典型的软件程序包含数十万行计算机代码。如果软件程序员未能在代码中执行关键检查，例如确保用户有权更新帐户，则会导致严重的安全隐患。事实上，脆弱的软件是网络安全问题的主要原因之一。 检查安全问题是非常昂贵的，因为它需要检查计算机代码的安全错误，并且这样的过程需要大量的手动工作。该研究项目旨在开发一个交互式帮助系统，以警告软件程序员潜在的安全错误，类似于现代文字处理器警告作者拼写和语法错误的方式。这可能会为软件开发工具带来新的功能，从而大大减少软件中的安全漏洞。这项研究是基于交互式静态分析的概念，一种新的混合主动范式，用于与程序员进行交互，以帮助检测和预防安全漏洞。静态分析被无缝地集成到开发环境中，使得程序员不需要学习除了使用开发环境之外的其他编程语言和分析概念。静态分析是在开发环境中执行的，允许程序员在程序构建期间利用和影响这种分析。本研究的目标是使程序员进入安全循环，提高他们的能力来检测，理解和预防漏洞;并利用程序员的上下文知识来驱动定制的静态分析，检测软件漏洞，很难检测到使用当前的静态分析技术。