Collaborative Research: SaTC: CORE: Medium: Rethinking Fuzzing for Security

协作研究：SaTC：核心：中：重新思考安全性模糊测试

• 批准号: 2031390
• 负责人: Engin Kirda
• 金额: $ 59.98万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2031390&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

In software, a vulnerability is a flaw in the code that can be exploited by a malicious actor to perform unauthorized activities or change the behavior of the software. Although a topic heavily studied by security researchers, finding software vulnerabilities is becoming increasingly challenging because the software widely used in day-to-day life is growing larger and more complicated. This project addresses this challenge by rethinking a classic technique called fuzzing for finding vulnerabilities from large software. The high-level idea of fuzzing is to create a large number of random inputs to run software and in turn trigger vulnerabilities. The novelties of this project are the new approaches, techniques, and tools that revolutionize fuzzing and make the nearly random testing process more intelligent and targeted. This way, this project will enhance security of various types of widely used software, ranging from web browsers to server-side programs.To that end, this project is investigating vulnerability-coverage-driven fuzzing. Existing fuzzing techniques primarily followed an approach called code-coverage-driven fuzzing, motivated by the belief that code coverage and vulnerability finding are strongly correlated. Challenging this widely held belief, this project shows that code coverage has weaker-than-expected ties with vulnerabilities and code-coverage-driven fuzzing is not well suited for vulnerability finding. Pioneering vulnerability-coverage-driven fuzzing, this project invents a series of novel techniques to (1) obtain feedback on vulnerability coverage (2) prioritize test inputs that can reach more vulnerabilities and (3) maximize the chance to trigger vulnerabilities reached by the test inputs. This project also produces new metrics, new benchmarks, and new frameworks for comprehensively evaluating the use of fuzzing for vulnerability finding. With the investigators' experience in research of software security and system security, this project provides a group of education, training, and research opportunities for both undergraduate and graduate students. Through industry outreach, the investigators pursue technology transfers and raise the awareness of software security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在软件中，漏洞是代码中的缺陷，恶意行为者可以利用该缺陷来执行未经授权的活动或更改软件的行为。尽管安全研究人员对此进行了大量研究，但由于日常生活中广泛使用的软件变得越来越大和越来越复杂，查找软件漏洞变得越来越具有挑战性。这个项目通过重新思考一种名为Fuzing的经典技术来解决这一挑战，该技术用于从大型软件中查找漏洞。模糊的高级思想是创建大量随机输入来运行软件，进而触发漏洞。这个项目的新颖性在于新的方法、技术和工具，这些方法、技术和工具彻底改变了模糊，并使几乎随机的测试过程更加智能和有针对性。这样，该项目将增强各种类型的广泛使用的软件的安全性，从Web浏览器到服务器端程序。为此，该项目正在研究漏洞覆盖驱动的模糊。现有的模糊技术主要遵循一种称为代码覆盖驱动模糊的方法，其动机是代码覆盖和漏洞查找紧密相关。该项目挑战了这一普遍持有的信念，表明代码覆盖与漏洞的联系弱于预期，代码覆盖驱动的模糊不太适合漏洞查找。该项目开创了漏洞覆盖驱动模糊的先河，发明了一系列新技术来(1)获得漏洞覆盖的反馈(2)确定可触及更多漏洞的测试输入的优先顺序，以及(3)最大限度地增加触发测试输入触及的漏洞的机会。该项目还产生了新的指标、新的基准和新的框架，用于全面评估Fuzing用于漏洞查找的使用情况。凭借研究人员在软件安全和系统安全方面的研究经验，本项目为本科生和研究生提供了一批教育、培训和研究机会。通过行业外展，调查人员寻求技术转让并提高软件安全意识。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。