TWC: Medium: Toward Trustworthy Mutable Replay for Security Patches

TWC：中：实现安全补丁的可信赖可变重放

• 批准号: 1563555
• 负责人: Gail Kaiser
• 金额: $ 120万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1563555&HistoricalAwards=false
• 关键词: TWC; Medium; Toward; Trustworthy; Mutable

Society is increasingly reliant on software, but deployed software contains security vulnerabilities and other bugs that can threaten privacy, property and even human lives. When a security vulnerability or critical error is discovered, a software patch is issued to attempt to fix the problem, but patches themselves can be incorrect, inadequate, and break necessarily functionality. This project investigates the full workflow for the developer to rapidly diagnose the root cause of the vulnerability or error, for the developer to test that a prospective patch indeed completely removes the defect, and for users to check the issued patch on their own configurations and workloads before adopting the patch. This project explores the use of mutable replay to help reproduce, diagnose, and fix software bugs. A low-overhead recorder records the execution of software in case a failure or exploit occurs, allowing the developer to replay the recorded log to reproduce the problem. Mutable replay allows logs recorded with the buggy version to be replayed after the modest code changes typical of critical patches to show that patches work correctly to resolve detected problems. This project leverages semantic information readily available to the developer to conduct well-understood static and dynamic analyses to correctly transform the recorded log to enable mutable replay. The results of this research will benefit society and individuals by simplifying and hastening both generation and validation of patches, ultimately making software more reliable and secure.

社会越来越依赖软件，但已部署的软件包含安全漏洞和其他可能威胁隐私、财产甚至人类生命的漏洞。当发现安全漏洞或严重错误时，会发布软件补丁试图修复问题，但补丁本身可能不正确、不充分，并且会破坏必要的功能。该项目调查了开发人员快速诊断漏洞或错误的根本原因的完整工作流程，为开发人员测试未来的补丁确实完全消除了缺陷，并为用户在采用补丁之前检查他们自己的配置和工作负载上发布的补丁。这个项目探索了可变重放的使用，以帮助重现、诊断和修复软件错误。在发生故障或漏洞利用的情况下，低开销记录器记录软件的执行，允许开发人员重放记录的日志以重现问题。可变重播允许在对关键补丁进行适当的代码更改后重播带有错误版本的日志，以显示补丁能够正确地解决检测到的问题。该项目利用开发人员随时可用的语义信息来执行易于理解的静态和动态分析，以正确地转换记录的日志以启用可变重播。这项研究的结果将通过简化和加速补丁的生成和验证来造福社会和个人，最终使软件更加可靠和安全。

项目成果

DIRECT : A Transformer-based Model for Decompiled Identifier Renaming

DIRECT：基于 Transformer 的反编译标识符重命名模型

• 发表时间: 2021
• 期刊: 1st Workshop on Natural Language Processing for Programming (NLP4Prog
• 作者: Nitin, Vikram;Saieva, Anthony;Ray, Baishakhi;Kaiser, Gail
• 通讯作者: Kaiser, Gail

Testing DNN Image Classifier for Confusion & Bias Errors

测试 DNN 图像分类器的混淆情况

• 发表时间: 2020
• 期刊: 42nd International Conference on Software Engineering
• 作者: Tian, Yuchi;Zhong, Ziyuan;Ordonez, Vicente;Kaiser, Gail;Ray, Baishakhi
• 通讯作者: Ray, Baishakhi

Side Channel Attack on Smartphone Sensors to Infer Gender of the User

对智能手机传感器进行侧信道攻击以推断用户性别

• 发表时间: 2019
• 期刊: 17th ACM Conference on Embedded Networked Sensor Systems (SenSys
• 作者: Singh, Shirish;Shila, Devu Manikantan;Kaiser, Gail
• 通讯作者: Kaiser, Gail

Obfuscation resilient search through executable classification

通过可执行分类进行混淆弹性搜索

• DOI: 10.1145/3211346.3211352
• 发表时间: 2018
• 期刊: Proceedings of the 2nd ACM SIGPLAN International Workshop on Machine Learning and Programming Languages
• 作者: Su, Fang-Hsiang;Bell, Jonathan;Kaiser, Gail;Ray, Baishakhi
• 通讯作者: Ray, Baishakhi

Learning Computational Thinking Efficiently with Block-based Parsons Puzzles

通过基于块的帕森斯谜题有效学习计算思维

• 发表时间: 2022
• 期刊: 30th International Conference on Computers in Education (ICCE
• 作者: Bender, Jeff;Dziena, Alex;Kaiser, Gail
• 通讯作者: Kaiser, Gail