TWC: Small: Collaborative: Similary-Based Program Analyses for Eliminating Vulnerabilities

TWC：小型：协作：基于相似性的程序分析以消除漏洞

• 批准号: 1319187
• 负责人: Zhendong Su
• 金额: $ 25万
• 依托单位: University of California-Davis
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-08-01 至 2017-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1319187&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Similary; Based

The security of critical information infrastructures depends upon effective techniques to detect vulnerabilities commonly exploited by malicious attacks. Due to poor coding practices or human error, a known vulnerability discovered and patched in one code location may often exist in many other unpatched code locations, either in the same code base or other code bases. Furthermore, patches are often error-prone, resulting in new vulnerabilities. This project develops practical techniques for detecting code-level similarity to prevent such vulnerabilities. It has the potential to help build a more reliable and secure information system infrastructure, which will have tremendous economical impact on society because of our growing reliance on information technologies.In particular, the project aims to develop practical techniques for similarity-based testing and analysis to detect unpatched vulnerable code and validate patches to the detected vulnerable code at both the source code and binary levels. To this end, it focuses on three main technical directions: (1) developing techniques for detecting source-level vulnerabilities by adapting and refining an industrial-strength tool, (2) developing capabilities of detecting binary-level vulnerabilities by extending preliminary work on detecting code clones in binaries, and (3) supporting patch validation and repair by developing methodologies and techniques to validate software patches and help produce correct, secure patches. This project helps discover new techniques for source- and binary-level vulnerability analysis and gain better understandings of the fundamental and practical challenges for building highly secure and reliable software.

关键信息基础设施的安全取决于有效的技术，以检测恶意攻击通常利用的漏洞。由于糟糕的编码实践或人为错误，在一个代码位置发现并修补的已知漏洞通常可能存在于许多其他未修补的代码位置中，无论是在同一代码库中还是在其他代码库中。此外，补丁通常容易出错，导致新的漏洞。该项目开发了用于检测代码级相似性以防止此类漏洞的实用技术。由于我们对资讯科技的依赖日益增加，这项计划有潜力协助建立更可靠和安全的资讯系统基础设施，对社会产生巨大的经济影响。特别是，该计划旨在发展实用的技术，以进行基于相似性的测试和分析，以检测未修补的易受攻击代码，并在源代码和二进制级别验证已检测到的易受攻击代码的修补程序。为此，它侧重于三个主要技术方向：（1）通过调整和改进工业强度的工具来开发用于检测源级别漏洞的技术，（2）通过扩展关于检测二进制中的代码克隆的初步工作来开发检测二进制级别漏洞的能力，以及（3）通过开发验证软件补丁并帮助生成正确、安全的补丁的方法和技术来支持补丁验证和修复。该项目有助于发现源代码和二进制级别漏洞分析的新技术，并更好地了解构建高度安全和可靠的软件的基本和实际挑战。