CRII: SaTC: Empirical and Analytical Models for the Deployment of Software Updates in Large Vulnerable Populations

CRII：SaTC：在大量弱势群体中部署软件更新的经验和分析模型

• 批准号: 1464163
• 负责人: Tudor Dumitras
• 金额: $ 17.03万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-05-15 至 2018-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1464163&HistoricalAwards=false
• 关键词: CRII; SaTC; Empirical; Analytical; Models

Software vulnerabilities are an important vector for malware delivery. The software updating mechanisms, responsible for deploying the vulnerability patches, are in a race with the cyber attackers seeking to exploit the vulnerabilities. Moreover, these updating mechanisms have multiple, potentially conflicting, design goals, as they must quickly deploy patches on millions of hosts worldwide, must not overburden the users, and must avoid breaking dependencies in the deployment environment. This project aims to model the dynamics of vulnerable host populations, in order to assess the practical barriers for current software updating mechanisms and the conflicts among their security and reliability goals. Using real-world data sets of update deployment events, the research studies the decay of vulnerable host populations empirically to identify deployment-specific factors that delay updates. Building on these insights, the project develops parameterized analytical models for update deployment, and uses these models to quantify the trade-offs between reliability and security when updating software. The models provide principled methods for reasoning about the properties of software updates in the presence of multiple design goals and enable improvements in software updating mechanisms by exploring a large design space. The researchers are disseminating the results from this project by organizing workshops on data-driven security, by releasing data sets with augmented information about software vulnerabilities, and by collaborating with industry partners to evaluate the proposed techniques in real-world settings.

软件漏洞是恶意软件传播的重要媒介。负责部署漏洞补丁的软件更新机制正在与试图利用这些漏洞的网络攻击者展开竞争。此外，这些更新机制有多个潜在冲突的设计目标，因为它们必须在全球数以百万计的主机上快速部署补丁，不能使用户负担过重，并且必须避免破坏部署环境中的依赖关系。该项目旨在对易受攻击的主机群体的动态进行建模，以便评估当前软件更新机制的实际障碍及其安全和可靠性目标之间的冲突。使用更新部署事件的真实世界数据集，该研究对易受攻击的主机种群的衰退进行了经验研究，以确定延迟更新的部署特定因素。在这些见解的基础上，该项目开发了用于更新部署的参数化分析模型，并使用这些模型来进一步量化更新软件时可靠性和安全性之间的权衡。这些模型提供了在存在多个设计目标的情况下推理软件更新属性的原则性方法，并通过探索大的设计空间来改进软件更新机制。研究人员正在通过组织关于数据驱动的安全的研讨会，通过发布含有关于软件漏洞的补充信息的数据集，以及通过与行业合作伙伴合作，在现实世界环境中评估拟议的技术，来传播这一全球项目的成果。