CICI:SIVD:Context-Aware Vulnerability Detection in Configurable Scientific Computing Environments

CICI：SIVD：可配置科学计算环境中的上下文感知漏洞检测

• 批准号: 2115167
• 负责人: Mu Zhang
• 金额: $ 49.98万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-01 至 2025-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2115167&HistoricalAwards=false
• 关键词: CICI; SIVD; Context; Aware; Vulnerability

Computational infrastructures have increasingly become the enabling factor for scientific discovery, in critical application domains including seismic imaging, air quality monitoring, epidemiology, drug discovery and nuclear engineering. The security of these infrastructures is thus of crucial importance, as the vulnerabilities in their unique software stacks can cause significant damage to economy, environment, public health, and national security. This project aims to safeguard scientific computing infrastructures via automatically identifying hidden software vulnerabilities in a timely manner. Particularly, the goal of this project is to address the challenging problem of configuration-related security bugs in highly customizable high-performance computing environments. Detecting such vulnerabilities is a hard problem. The stateof- the-art general vulnerability analyzers are unable to capture the specific runtime contexts of multiple interdependent software elements in specialized scientific computing environments. To bridge this gap, this project connects advanced bug-finding techniques to dedicated high-performance computing settings. In addition, it also seeks to leverage the unique characteristics of scientific computing environments to facilitate vulnerability discovery. Hence, this research provides a comprehensive understanding of the software security problems in real-world scientific computing systems, and builds robust solutions to secure these systems.Specifically, this project develops novel deployment-specific vulnerability detection techniques, that can (a) discover seemingly well-formed, yet inconsistent configuration values within scientific computing contexts, (b) detect cross-component vulnerabilities caused by the settings of interconnected computing software, and (c) take full advantage of the de facto workflow of high-performance computing systems to reduce the complexity of finding bugs. This research consists of three tasks: (1) it investigates the deployment contexts in real-world high-performance computing systems and develops both offline and online tools to automatically collect contextual information; (2) it applies extracted contexts to detecting misconfiguration and configuration-triggered code vulnerabilities at both deployment time and incrementally at runtime; (3) it tests the novel technique in real-world testbeds and scientific computing environments to evaluate its accuracy, efficiency and effectiveness.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

计算基础设施日益成为科学发现的有利因素，在关键应用领域，包括地震成像，空气质量监测，流行病学，药物发现和核工程。因此，这些基础设施的安全至关重要，因为其独特的软件堆栈中的漏洞可能对经济，环境，公共卫生和国家安全造成重大损害。该项目旨在通过及时自动识别隐藏的软件漏洞来保护科学计算基础设施。特别是，这个项目的目标是解决高度可定制的高性能计算环境中与配置相关的安全漏洞的挑战性问题。检测此类漏洞是一个难题。现有技术的通用漏洞分析器无法在专门的科学计算环境中捕获多个相互依赖的软件元素的特定运行时上下文。为了弥补这一差距，该项目将高级错误查找技术与专用的高性能计算设置相结合。此外，它还寻求利用科学计算环境的独特特征来促进漏洞发现。因此，本研究提供了对现实世界科学计算系统中软件安全问题的全面理解，并构建了强大的解决方案来保护这些系统。具体来说，本项目开发了新颖的特定于部署的漏洞检测技术，可以（a）发现科学计算环境中看似格式良好但不一致的配置值，（B）检测由互连计算软件的设置引起的跨组件漏洞，以及（c）充分利用高性能计算系统的事实上的工作流程，以降低查找错误的复杂性。本研究包含三个任务：（1）调查真实世界高性能计算系统中的部署上下文，并开发离线和在线工具来自动收集上下文信息;（2）将提取的上下文应用于在部署时和运行时增量地检测错误配置和配置触发的代码漏洞;（3）它在真实世界的测试平台和科学计算环境中测试新技术，以评估其准确性，效率和有效性。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Automated Generation of Security-Centric Descriptions for Smart Contract Bytecode

• DOI: 10.1145/3597926.3598132
• 发表时间: 2023-07
• 期刊: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Yufei Pan;Zhichao Xu;Li Li-Li;Yunhe Yang;Mu Zhang

Arvin: Greybox Fuzzing Using Approximate Dynamic CFG Analysis

Arvin：使用近似动态 CFG 分析进行灰盒模糊测试

• DOI: 10.1145/3579856.3582813
• 发表时间: 2023
• 期刊: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security
• 作者: Shahini, Sirus;Zhang, Mu;Payer, Mathias;Ricci, Robert
• 通讯作者: Ricci, Robert