TWC: Small: Collaborative: Similary-Based Program Analyses for Eliminating Vulnerabilities

TWC：小型：协作：基于相似性的程序分析以消除漏洞

• 批准号: 1434582
• 负责人: Tao Xie
• 金额: $ 25万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-07-01 至 2017-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1434582&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Similary; Based

The security of critical information infrastructures depends upon effective techniques to detect vulnerabilities commonly exploited by malicious attacks. Due to poor coding practices or human error, a known vulnerability discovered and patched in one code location may often exist in many other unpatched code locations, either in the same code base or other code bases. Furthermore, patches are often error-prone, resulting in new vulnerabilities. This project develops practical techniques for detecting code-level similarity to prevent such vulnerabilities. It has the potential to help build a more reliable and secure information system infrastructure, which will have tremendous economical impact on society because of our growing reliance on information technologies.In particular, the project aims to develop practical techniques for similarity-based testing and analysis to detect unpatched vulnerable code and validate patches to the detected vulnerable code at both the source code and binary levels. To this end, it focuses on three main technical directions: (1) developing techniques for detecting source-level vulnerabilities by adapting and refining an industrial-strength tool, (2) developing capabilities of detecting binary-level vulnerabilities by extending preliminary work on detecting code clones in binaries, and (3) supporting patch validation and repair by developing methodologies and techniques to validate software patches and help produce correct, secure patches. This project helps discover new techniques for source- and binary-level vulnerability analysis and gain better understandings of the fundamental and practical challenges for building highly secure and reliable software.

关键信息基础设施的安全依赖于有效的技术来检测通常被恶意攻击利用的漏洞。由于糟糕的编码实践或人为错误，在一个代码位置发现并打补丁的已知漏洞可能经常存在于相同代码库或其他代码库中的许多其他未打补丁的代码位置。此外，补丁程序往往容易出错，从而导致新的漏洞。该项目开发了用于检测代码级相似性的实用技术，以防止此类漏洞。它有可能帮助建立更可靠和更安全的信息系统基础设施，这将对社会产生巨大的经济影响，因为我们越来越依赖信息技术。该项目尤其旨在开发基于相似性的实用测试和分析技术，以检测未打补丁的易受攻击代码，并在源代码和二进制级别验证已检测到的易受攻击代码的补丁。为此，它集中在三个主要技术方向：(1)通过调整和完善工业级别的工具来开发检测源代码级别漏洞的技术；(2)通过扩展检测二进制文件中的代码克隆的前期工作来开发检测二进制级别漏洞的能力；以及(3)通过开发验证软件补丁并帮助生成正确、安全的补丁的方法和技术来支持补丁验证和修复。该项目有助于发现源代码和二进制级漏洞分析的新技术，并更好地理解构建高度安全和可靠的软件所面临的基本和实际挑战。