SaTC: TTP: Medium: Collaborative: Deployment-quality and Accessible Solutions for Cryptography Code Development

SaTC：TTP：中：协作：用于加密代码开发的部署质量和可访问解决方案

• 批准号: 1929739
• 负责人: Barton Miller
• 金额: $ 50万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1929739&HistoricalAwards=false
• 关键词: SaTC; TTP; Medium; Collaborative; Deployment

Vulnerabilities in cryptographic implementations seriously reduce the security guarantees of algorithms in practice and lead to attacks. An effective fix to the vulnerable code problem is automatic code checking. However, existing code verification tools cannot adequately cover cryptographic properties due to deficiencies in both accuracy, in terms of missed detection and false alarms, and scalability, in terms of complexity and runtime. The technology in this transition-to-practice project is to help secure cryptographic implementations, which are the foundation of many advanced systems. By making relevant research solutions deployment-grade, this effort can substantially improve the cryptographic coding practice and benefit software developers in all professions. The project's objective is to transition multiple secure cryptographic coding research solutions to practice and make it convenient and accessible to automatically screen programs against a wide range of cryptographic implementation vulnerabilities or misuses. The main technical enabler is a high precision and high throughput approach based on specialized program analysis techniques called CryptoGuard. CryptoGuard can detect a wide range of cryptographic misuses with ultra-low false alarm rates when used on complex and large-scale Java programs. The project leverages multiple popular software development and software security platforms, including the Software Assurance Marketplace, to make these tools effective in production environments. The systematic benchmark and measurement work is designed to advance the science of security and substantially raises the standard and quality of cryptographic code screening.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

密码实现中存在的漏洞严重降低了算法在实际应用中的安全性保证，导致攻击的发生。解决易受攻击的代码问题的一个有效方法是自动代码检查。然而，现有的代码验证工具不能充分地覆盖加密属性，这是由于在准确性（在漏检和误报警方面）和可扩展性（在复杂性和运行时间方面）两者上的缺陷。这个从过渡到实践的项目中的技术是帮助保护加密实现，这是许多高级系统的基础。通过使相关的研究解决方案部署级，这一努力可以大大改善加密编码实践，并使所有专业的软件开发人员受益。该项目的目标是将多个安全加密编码研究解决方案转化为实践，并使其方便和易于自动筛选程序，以防止各种加密实现漏洞或误用。主要的技术推动者是一种基于称为CryptoGuard的专业程序分析技术的高精度和高吞吐量方法。CryptoGuard可以检测各种各样的密码误用，当用于复杂和大规模的Java程序时，具有超低的误报率。该项目利用多个流行的软件开发和软件安全平台，包括软件保障市场，使这些工具在生产环境中有效。系统的基准和测量工作旨在推动安全科学的发展，并大大提高加密代码筛选的标准和质量。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

An In-Depth Security Assessment of Maritime Container Terminal Software Systems

• DOI: 10.1109/access.2020.3008395
• 发表时间: 2020-06
• 期刊: IEEE Access
• 影响因子: 3.9
• 作者: Joseph O. Eichenhofer;E. Heymann;B. Miller;Arnold Kang

Being the Developers’ Friend: Our Experience Developing a High-Precision Tool for Secure Coding

• DOI: 10.1109/msec.2022.3159481
• 发表时间: 2022-11
• 期刊: IEEE Security & Privacy
• 影响因子: 1.9
• 作者: D. Yao;Sazzadur Rahaman;Ya Xiao;Sharmin Afrose;Miles Frantz;Ke Tian;Na Meng;C. Cifuentes;Yang Zhao;N. Allen;Nathan Keynes;B. Miller;E. Heymann;Murat Kantarcioglu;Fahad Shaon

Software Security for the People: Free and Open Resources for Software Security Training

人民的软件安全：软件安全培训的免费开放资源

• DOI: 10.1109/msec.2022.3142336
• 发表时间: 2022
• 期刊: IEEE Security & Privacy
• 影响因子: 1.9
• 作者: Heymann, Elisa R.;Miller, Barton P.
• 通讯作者: Miller, Barton P.

The Relevance of Classic Fuzz Testing: Have We Solved This One?

• DOI: 10.1109/tse.2020.3047766
• 发表时间: 2020-08
• 期刊: IEEE Transactions on Software Engineering
• 影响因子: 7.4
• 作者: B. Miller;Mengxiao Zhang;E. Heymann