TWC: Small: Collaborative: EVADE: Evidence-Assisted Detection and Elimination of Security Vulnerabilities

TWC：小型：协作：EVADE：证据辅助检测和消除安全漏洞

• 批准号: 1525992
• 负责人: Timothy Wood
• 金额: $ 25万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1525992&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; EVADE; Evidence

Today's software remains vulnerable to attack. Despite decades of advances in areas ranging from testing to static analysis and verification, all large real-world software is deployed with errors. Because this software is either written in or underpinned by unsafe languages, errors often translate to security vulnerabilities. Although techniques exist that could prevent or limit the risk of exploits, high performance overhead blocks their adoption, leaving today's systems open to attack. To address these problems, we propose a new approach: evidence-assisted detection and elimination of security vulnerabilities (EVADE). EVADE will prevent security vulnerabilities from compromising a system . The challenge, and the goal, is to make it efficient in time and space, and to make it practical for deployment. EVADE will produce detailed reports for developers to reduce the time and effort required to fix their applications. By blocking a wide range of attacks and automatically pinpointing vulnerabilities, EVADE will dramatically increase the security of application software running on servers and desktop platforms, and it will enable a new class of post-attack security analyses.The technical approach is a novel one that spans the traditional research boundaries of runtime systems, operating systems, and virtual machines. EVADE will run unmodified applications in a coordinated framework that will perform selective forensic analysis before any output is committed, blocking exploits from compromising their host and making it possible to pinpoint errors with low overhead. The EVADE runtime system will place lightweight tripwires at random locations in memory that can be quickly validated to detect malicious behavior. Within an application, these take the form of signatures placed on the stack and in the heap, while at the hypervisor-level EVADE they may protect the system call table or other crucial data structures. The EVADE VM will divide execution into incrementally-checkpointed epochs. At each epoch boundary, before any system state is committed, the EVADE virtual machine will indicate to the EVADE runtime system which pages have been modified, letting it perform checks to identify vulnerabilities. EVADE will thus dramatically increase the security of vulnerable applications with extremely low runtime overhead, and will assist developers in locating vulnerabilities when an exploit does occur.

今天的软件仍然容易受到攻击。尽管从测试到静态分析和验证等领域已经取得了数十年的进步，但所有大型现实世界软件的部署都存在错误。因为这些软件是用不安全的语言编写的，或者是由不安全的语言支持的，所以错误通常会转化为安全漏洞。虽然存在可以防止或限制漏洞利用风险的技术，但高性能开销阻碍了它们的采用，使当今的系统容易受到攻击。为了解决这些问题，我们提出了一种新的方法：证据辅助检测和消除安全漏洞（EVADE）。EVADE将防止安全漏洞危及系统。挑战和目标是使其在时间和空间上有效，并使其实际部署。EVADE将为开发人员提供详细的报告，以减少修复应用程序所需的时间和精力。通过拦截大范围的攻击并自动定位漏洞，EVADE将极大地提高运行在服务器和桌面平台上的应用软件的安全性，并将实现一类新的攻击后安全分析。该技术方法是一种新颖的方法，跨越了传统的运行时系统、操作系统和虚拟机的研究边界。EVADE将在一个协调的框架中运行未经修改的应用程序，该框架将在提交任何输出之前执行选择性的取证分析，阻止漏洞攻击损害其主机，并使其能够以较低的开销查明错误。EVADE运行时系统将在内存中的随机位置放置轻量级绊网，可以快速验证以检测恶意行为。在应用程序中，它们采取放在堆栈和堆中的签名的形式，而在管理程序级别的EVADE中，它们可以保护系统调用表或其他关键数据结构。EVADE VM将执行划分为增量检查点时期。在每个时期边界，在提交任何系统状态之前，EVADE虚拟机将向EVADE运行时系统指示哪些页面已被修改，让它执行检查以识别漏洞。因此，EVADE将以极低的运行时开销极大地提高易受攻击应用程序的安全性，并将在漏洞利用发生时帮助开发人员定位漏洞。

项目成果

Advancing Network Function Virtualization Platforms with Programmable NICs

使用可编程 NIC 推进网络功能虚拟化平台

• DOI: 10.1109/lanman.2019.8847032
• 发表时间: 2019
• 期刊: IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN
• 作者: Ni, Zhen;Liu, Guyue;Afanasev, Dennis;Wood, Timothy;Hwang, Jinho
• 通讯作者: Hwang, Jinho