SaTC: CORE: Small: Better Software Security Through Caging

SaTC：核心：小型：通过限制提高软件安全性

• 批准号: 1815925
• 负责人: Justin Cappos
• 金额: $ 50万
• 依托单位: New York University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1815925&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Better; Software

Software has bugs, quite commonly in libraries that are created by third-party developers. Unfortunately, a bug in any library enables attackers to take control of an application. Furthermore, since popular libraries are used across thousands of applications, these libraries become a high-leverage target for attackers. This work improves the security of software by stopping bugs in one library from impacting other portions of the application. This makes it much more difficult for attackers to compromise software and harm users. This work builds a novel mechanism that can take legacy programs and convert them into a series of components that are isolated into different domains called cages. Cages are isolated from each other in a way that is similar to how operating system virtual machines are isolated. Each cage may have its own file system and network interface, and may handle system calls in a different manner. This includes the potential for blocking system calls that should not be needed by a cage, for example to disable the network interface in libraries that do not need it. This isolation also includes resource and performance isolation for a specific cage, preventing a malicious or buggy library from crashing or harming an application. The team is working to not only develop a research prototype for the effort, but also to use this work to secure large software projects.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

软件有bug，在第三方开发人员创建的库中很常见。 不幸的是，任何库中的错误都使攻击者能够控制应用程序。 此外，由于流行的库在数千个应用程序中使用，这些库成为攻击者的高杠杆目标。 这项工作通过阻止一个库中的错误影响应用程序的其他部分来提高软件的安全性。 这使得攻击者更难危害软件和伤害用户。这项工作建立了一个新的机制，可以采取遗留程序，并将它们转换成一系列的组件，这些组件被隔离到不同的域称为笼子。笼以类似于操作系统虚拟机隔离的方式彼此隔离。每个笼可以具有其自己的文件系统和网络接口，并且可以以不同的方式处理系统调用。这包括可能阻止笼不应该需要的系统调用，例如禁用不需要的库中的网络接口。这种隔离还包括特定笼的资源和性能隔离，防止恶意或有缺陷的库崩溃或损害应用程序。该团队不仅致力于开发一个研究原型的努力，而且还利用这项工作，以确保大型软件项目。这个奖项反映了NSF的法定使命，并已被认为是值得通过评估使用基金会的智力价值和更广泛的影响审查标准的支持。