权益分类	功能权益	普通用户	{{item.name}}会员
{{category.name}}	{{benefitItem.name}}

SaTC: CORE: Small: Detecting Vulnerabilities and Remediations in Software Dependencies

SaTC：核心：小型：检测软件依赖项中的漏洞和补救措施

基本信息

批准号：
1946273
负责人：
William Enck
金额：
$ 49.99万
依托单位：
North Carolina State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2020
资助国家：
美国
起止时间：
2020-10-01 至 2024-09-30
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=1946273&HistoricalAwards=false
关键词：
SaTC CORE Small Detecting Vulnerabilities

项目摘要

Software is at the very center of today's society, permeating commerce, transportation, information exchange, and entertainment. Today's software is rarely written from scratch and is frequently dependent on a large ecosystem of open source libraries and tools. As a result, a single vulnerability in a library often has a cascading effect, resulting in corresponding vulnerabilities in the many software systems and applications that depend on it. The goal of this project is to aid software developers in identifying and updating vulnerable dependencies through the creation of methods that detect, measure, and remediate a software project's use of external, open source software with security flaws. As part of achieving this goal, the investigators will develop the first global vulnerable-dependency graph to characterize the problem within the broader open source ecosystem.The creation of this global vulnerable-dependency graph depends on addressing two key research challenges. First, software dependencies exist in many forms, ranging from clear listings in package manifests to copies of external libraries added to a software project's code repository. Second, not all vulnerability fixes are announced. Developers often discover and fix vulnerabilities without issuing an announcement (or perhaps even without knowing a vulnerability was fixed). This project will address these challenges through novel application of static program analysis and text analytics. These techniques will scalably recover software dependencies, mapping both publicly known vulnerabilities as well as discovered silent vulnerability fixes to individual versions of software libraries and tools.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

软件是当今社会的核心，渗透到商业、交通、信息交换和娱乐中。今天的软件很少是从头开始编写的，经常依赖于一个由开源库和工具组成的大型生态系统。因此，库中的单个漏洞通常会产生级联效应，从而导致依赖于它的许多软件系统和应用程序中出现相应的漏洞。该项目的目标是通过创建检测、测量和补救软件项目使用存在安全缺陷的外部开放源码软件的方法，帮助软件开发人员识别和更新易受攻击的依赖项。作为实现这一目标的一部分，研究人员将开发第一个全球脆弱依赖图，以表征更广泛的开源生态系统中的问题。创建这个全球脆弱依赖图取决于解决两个关键的研究挑战。首先，软件依赖以多种形式存在，从包清单中的清晰清单到添加到软件项目的代码库中的外部库的副本。其次，并不是所有的漏洞修复都会公布。开发人员经常在不发布公告的情况下发现和修复漏洞(甚至可能在不知道漏洞已修复的情况下)。这个项目将通过静态程序分析和文本分析的新应用来解决这些挑战。这些技术将可扩展地恢复软件依赖关系，将公开的漏洞以及发现的静默漏洞修复映射到软件库和工具的各个版本。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。