SaTC: EDU: Curricula and CTF Exercises for Teaching Smart Fuzzing and Symbolic Execution

SaTC：EDU：用于教授智能模糊测试和符号执行的课程和 CTF 练习

• 批准号: 1821841
• 负责人: Wu-chang Feng
• 金额: $ 27.94万
• 依托单位: Portland State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-15 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1821841&HistoricalAwards=false
• 关键词: SaTC; EDU; Curricula; CTF; Exercises

It is estimated that a security flaw occurs in in every 100 lines of code written, which makes it difficult to develop secure, and trustworthy software. Given the lack of a sufficient number of developers, the computing industry is turning to smart fuzzing and symbolic execution tools that automatically discover and patch vulnerabilities in computing systems. While these techniques are becoming widely used in industry, few academic programs include these concepts in their educational programs. The project will develop curricular materials that will teach students these emerging techniques that are revolutionizing how software is being tested and validated. This project will develop open-source curricula, and hands-on, "capture-the-flag" (CTF) exercises that will enable Computer Science programs across the country to teach these techniques to students. In order to help develop abilities in fuzzing the project will develop a polymorphically generated web application that includes source code and several vulnerabilities. Students will use a fuzzer to identify, and fix the vulnerabilities. As a result students will develop the skills required to use fuzzers, and the ability to spot the errors and vulnerabilities in source-code that fuzzers reveal. By building and publishing these educational artifacts, this project will place these tools in the hands of as many students as possible so that industry can efficiently build and secure software. As a result, the next-generation of developers will understand the fundamental ideas behind automated vulnerability detection and correction, and develop the ability to leverage modern software testing tools.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

据估计，每写100行代码就会出现一个安全漏洞，这使得开发安全可靠的软件变得困难。 由于缺乏足够数量的开发人员，计算行业正在转向智能模糊和符号执行工具，这些工具可以自动发现和修补计算系统中的漏洞。 虽然这些技术在工业中得到广泛应用，但很少有学术项目将这些概念纳入其教育项目中。 该项目将开发课程材料，向学生传授这些新兴技术，这些技术正在彻底改变软件的测试和验证方式。 该项目将开发开源课程，并动手，“捕捉国旗”（CTF）练习，使全国各地的计算机科学课程，教这些技术的学生。 为了帮助开发模糊能力，该项目将开发一个多态生成的Web应用程序，其中包括源代码和几个漏洞。 学生将使用模糊器来识别和修复漏洞。 因此，学生将开发使用模糊器所需的技能，以及发现模糊器揭示的源代码中的错误和漏洞的能力。 通过构建和发布这些教育工件，该项目将把这些工具放在尽可能多的学生手中，以便行业能够有效地构建和保护软件。 因此，下一代开发人员将理解自动漏洞检测和纠正背后的基本思想，并开发利用现代软件测试工具的能力。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Have I Been Exploited? A Registry of Vulnerable Smart Contracts

我被剥削了吗？

• 发表时间: 2020
• 期刊: International Conference on Blockchain
• 作者: Daniel Connelly, Wu-chang Feng

Thunder CTF: Learning Cloud Security on a Dime

Thunder CTF：快速学习云安全

• 发表时间: 2021
• 期刊: CoRR
• 作者: Springer, Nicholas;Feng, Wu-chang
• 通讯作者: Feng, Wu-chang

Teaching with angr: A Symbolic Execution Curriculum and CTF

使用 angr 进行教学：符号执行课程和 CTF

• 发表时间: 2018
• 期刊: USENIX Advances in Security Education
• 作者: Springer, Jake;Feng, Wu-chang
• 通讯作者: Feng, Wu-chang