CAREER: Amplifying Developer-Written Tests for Code Injection Vulnerability Detection

职业：扩大开发人员编写的代码注入漏洞检测测试

• 批准号: 2100015
• 负责人: Jonathan Bell
• 金额: $ 40.48万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-09-01 至 2025-04-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2100015&HistoricalAwards=false
• 关键词: CAREER; Amplifying; Developer; Written; Tests

Code injection vulnerabilities are a class of security vulnerabilities that have been exploited increasingly often, including in the high-profile 2017 Equifax breach as well as in many recent attacks on our country's election and financial systems. These vulnerabilities are very tricky to detect, and there are no existing automated techniques to protect critical software from being released with these dangerous flaws. This project is developing new and transformative approaches for detecting code injection vulnerabilities in complex, large-scale systems. The line between high-assurance and general-purpose software is increasingly blurred, as nowadays nearly any insecure software can have severe economic consequences. Hence, this project is developing, validating and disseminating better tools that any engineer can use to detect code injection vulnerabilities in their applications during testing (without requiring specialized security knowledge).To detect these vulnerabilities, this project harnesses the combined power of both human developers and automated dynamic program analysis, combining existing test suites with dynamic dataflow analysis. Given an existing (and perhaps low quality) developer-written test suite, this project simultaneously increases the depth of each test (adding new security-related checks to each test) and the breadth of each test (ensuring that the test suite thoroughly validates each security check). When one of these tests suggests that there might be a vulnerability, the tool will generate a proof-of-exploit test case that demonstrates the existence of the exploit and allows developers to understand and debug the issue, preventing it from escaping to the wild. The tools will be carefully designed to be adoptable by everyday software engineers without requiring specialized knowledge of program analysis, with easy integration with existing tooling and continuous integration infrastructure. This project involves undergraduate and graduate students in research. All software and curricula resulting from this project will be freely and publicly available; the resulting tools will be publicly disseminated and are expected to be useful for other testing and security researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

代码注入漏洞是一类越来越频繁被利用的安全漏洞，包括2017年备受瞩目的Equifax漏洞以及最近对我国选举和金融系统的许多攻击。这些漏洞检测起来非常棘手，并且没有现有的自动化技术来保护关键软件免受这些危险缺陷的发布。该项目正在开发用于检测复杂、大规模系统中的代码注入漏洞的新的变革性方法。高保证和通用软件之间的界限越来越模糊，因为现在几乎任何不安全的软件都可能造成严重的经济后果。因此，这个项目正在开发、验证和传播更好的工具，任何工程师都可以在测试期间使用这些工具来检测应用程序中的代码注入漏洞（不需要专门的安全知识）。为了检测这些漏洞，该项目利用了人类开发人员和自动动态程序分析的综合能力，将现有的测试套件与动态数据流分析相结合。给定一个现有的（可能是低质量的）开发人员编写的测试套件，该项目同时增加了每个测试的深度（向每个测试添加新的与安全性相关的检查）和每个测试的广度（确保测试套件彻底验证每个安全性检查）。当其中一个测试表明可能存在漏洞时，该工具将生成一个证明漏洞的测试用例，该测试用例演示了漏洞的存在，并允许开发人员理解和调试问题，防止其逃逸到野外。这些工具将被精心设计，以供日常软件工程师采用，而不需要专门的程序分析知识，并且易于与现有工具和持续集成基础结构集成。该项目涉及本科生和研究生的研究。本项目产生的所有软件和课程将免费公开提供；最终的工具将被公开传播，并有望对其他测试和安全研究人员有用。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Thirty-Three Years of Mathematicians and Software Engineers: A Case Study of Domain Expertise and Participation in Proof Assistant Ecosystems

数学家和软件工程师三十三年：领域专业知识和参与证明助理生态系统的案例研究

• 发表时间: 2024
• 期刊: Proceedings of the 21st International Conference on Mining Software Repositories
• 作者: Lincroft, Gwenyth;Cho, Minsung;Bazzaz, Mahsa;Hough, Katherine;Bell, Jonathan
• 通讯作者: Bell, Jonathan

A retrospective study of one decade of artifact evaluations

十年工件评估的回顾性研究

• DOI: 10.1145/3540250.3549172
• 发表时间: 2022
• 期刊: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
• 作者: Winter, Stefan;Timperley, Christopher S.;Hermann, Ben;Cito, Jürgen;Bell, Jonathan;Hilton, Michael;Beyer, Dirk
• 通讯作者: Beyer, Dirk

Crossover in Parametric Fuzzing

• DOI: 10.1145/3597503.3639160
• 发表时间: 2024-04
• 期刊: 2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE)
• 作者: Katherine Hough;Jonathan Bell

Revealing Injection Vulnerabilities by Leveraging Existing Tests

• DOI: 10.1145/3377811.3380326
• 发表时间: 2020-06
• 期刊: 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE)
• 作者: Katherine Hough;G. B. Welearegai;Christian Hammer;Jonathan Bell

CONFETTI: Amplifying Concolic Guidance for Fuzzers

• DOI: 10.1145/3510003.3510628
• 发表时间: 2022-05
• 期刊: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE)
• 作者: J. Kukucka;Luís Pina;P. Ammann;Jonathan Bell