CRII: SaTC: Towards Detecting and Mitigating Vulnerabilities

CRII：SaTC：致力于检测和缓解漏洞

• 批准号: 2153474
• 负责人: Zhen Huang
• 金额: $ 17.49万
• 依托单位: DePaul University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-07-01 至 2024-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153474&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Detecting; Mitigating

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2).Numerous real-world attacks exploit software vulnerabilities to compromise computer systems such as servers, desktops, smart phones, and Internet of Things (IoT) devices. Recent studies show that it is challenging to detect vulnerabilities accurately and patch vulnerabilities rapidly. State-of-the-art techniques can mitigate unpatched vulnerabilities effectively, but they usually sacrifice the availability of systems. The goal of this project is to improve vulnerability detection and mitigation. The project’s novelties are two-fold. First, the project team is developing an approach to significantly increasing the accuracy of vulnerability detection. Second, the project team is developing an approach to substantially reducing the availability loss of vulnerability mitigation. The project's broader significance and importance are that 1) the approaches developed by the project can be used by other projects addressing vulnerabilities, 2) the outcome of the project can help the software industry in designing mechanisms to detect vulnerabilities and defend against vulnerability exploits; and 3) the project is tightly integrated with undergraduate-level and graduate-level curriculum development and student advising. A diverse group of undergraduate and graduate students are participating in the project and developing their interests and expertise in software security.The project aims to develop an accurate vulnerability-detection technique and an unobtrusive vulnerability-mitigation technique. To improve the accuracy, the vulnerability-detection technique uses vulnerability conditions, each of which captures the intrinsic characteristics of a type of vulnerabilities, to detect vulnerabilities. To reduce the availability loss, the vulnerability-mitigation technique uses basic blocks and program paths as the granularity of vulnerability mitigation. The project consists of three key tasks: 1) designing a scheme for encoding vulnerability conditions, 2) developing a technique based on fuzzing to detect vulnerabilities using vulnerability conditions, and 3) developing a technique based on code-disabling to mitigates vulnerabilities at the granularity of basic blocks and program paths. The major contributions of the project include the design of the techniques, prototype implementations of the techniques, and an evaluation of the implementations with real-world vulnerabilities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该奖项的全部或部分资金来自《2021年美国救援计划法案》(Public Law 117-2)。大量现实世界中的攻击利用软件漏洞来危害服务器、台式机、智能手机和物联网(IoT)设备等计算机系统。最近的研究表明，准确检测漏洞并快速修补漏洞是具有挑战性的。最先进的技术可以有效地缓解未打补丁的漏洞，但它们通常会牺牲系统的可用性。该项目的目标是改进漏洞检测和缓解。该项目的新颖性有两个方面。首先，项目组正在开发一种方法，以显著提高漏洞检测的准确性。其次，项目组正在开发一种方法，以显著减少漏洞缓解的可用性损失。该项目更广泛的意义和重要性在于：1)该项目开发的方法可以被其他解决漏洞的项目使用；2)该项目的成果可以帮助软件行业设计检测漏洞和防御漏洞利用的机制；以及3)该项目与本科生和研究生水平的课程开发和学生建议紧密结合。一群不同的本科生和研究生正在参与该项目，并培养他们在软件安全方面的兴趣和专业知识。该项目旨在开发一种准确的漏洞检测技术和一种不引人注目的漏洞缓解技术。为了提高漏洞检测的准确性，漏洞检测技术使用漏洞条件来检测漏洞，每个漏洞条件都捕获了一类漏洞的内在特征。为了减少可用性损失，漏洞缓解技术使用基本块和程序路径作为漏洞缓解的粒度。该项目包括三个关键任务：1)设计漏洞条件的编码方案；2)开发基于模糊的漏洞检测技术，利用漏洞条件检测漏洞；3)开发基于代码禁用的技术，在基本块和程序路径的粒度上缓解漏洞。该项目的主要贡献包括技术的设计、技术的原型实现以及对存在实际漏洞的实现的评估。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Multiclass Classification of Software Vulnerabilities with Deep Learning

• DOI: 10.1145/3587716.3587738
• 发表时间: 2023-02
• 期刊: Proceedings of the 2023 15th International Conference on Machine Learning and Computing
• 作者: Crystal Contreras;Hristina Dokic;Zhen Huang;Daniela Stan Raicu;Jacob D. Furst;Roselyne B. Tchoua

Runtime Recovery for Integer Overflows

• DOI: 10.1109/icsrs56243.2022.10067783
• 发表时间: 2022-11
• 期刊: 2022 6th International Conference on System Reliability and Safety (ICSRS)
• 作者: Zhen Huang