CRII: SaTC: Towards Detecting and Mitigating Vulnerabilities

CRII：SaTC：致力于检测和缓解漏洞

• 批准号: 2153474
• 负责人: Zhen Huang
• 金额: $ 17.49万
• 依托单位: DePaul University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-07-01 至 2024-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153474&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Detecting; Mitigating

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2).Numerous real-world attacks exploit software vulnerabilities to compromise computer systems such as servers, desktops, smart phones, and Internet of Things (IoT) devices. Recent studies show that it is challenging to detect vulnerabilities accurately and patch vulnerabilities rapidly. State-of-the-art techniques can mitigate unpatched vulnerabilities effectively, but they usually sacrifice the availability of systems. The goal of this project is to improve vulnerability detection and mitigation. The project’s novelties are two-fold. First, the project team is developing an approach to significantly increasing the accuracy of vulnerability detection. Second, the project team is developing an approach to substantially reducing the availability loss of vulnerability mitigation. The project's broader significance and importance are that 1) the approaches developed by the project can be used by other projects addressing vulnerabilities, 2) the outcome of the project can help the software industry in designing mechanisms to detect vulnerabilities and defend against vulnerability exploits; and 3) the project is tightly integrated with undergraduate-level and graduate-level curriculum development and student advising. A diverse group of undergraduate and graduate students are participating in the project and developing their interests and expertise in software security.The project aims to develop an accurate vulnerability-detection technique and an unobtrusive vulnerability-mitigation technique. To improve the accuracy, the vulnerability-detection technique uses vulnerability conditions, each of which captures the intrinsic characteristics of a type of vulnerabilities, to detect vulnerabilities. To reduce the availability loss, the vulnerability-mitigation technique uses basic blocks and program paths as the granularity of vulnerability mitigation. The project consists of three key tasks: 1) designing a scheme for encoding vulnerability conditions, 2) developing a technique based on fuzzing to detect vulnerabilities using vulnerability conditions, and 3) developing a technique based on code-disabling to mitigates vulnerabilities at the granularity of basic blocks and program paths. The major contributions of the project include the design of the techniques, prototype implementations of the techniques, and an evaluation of the implementations with real-world vulnerabilities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该奖项全部或部分由《2021年美国救援计划法案》（公法117-2）资助。许多现实世界的攻击利用软件漏洞来破坏计算机系统，如服务器、台式机、智能手机和物联网（IoT）设备。近年来的研究表明，准确检测漏洞并快速修补漏洞是一项具有挑战性的工作。最先进的技术可以有效地缓解未修补的漏洞，但它们通常会牺牲系统的可用性。这个项目的目标是改进漏洞检测和缓解。这个项目的新奇之处有两方面。首先，项目团队正在开发一种方法来显著提高漏洞检测的准确性。第二，项目团队正在开发一种方法，以大大减少脆弱性缓解的可用性损失。该项目更广泛的意义和重要性在于：1)项目开发的方法可以被其他解决漏洞的项目使用；2)项目的成果可以帮助软件行业设计漏洞检测和防御漏洞利用的机制；3)项目与本科和研究生阶段的课程开发和学生辅导紧密结合。一群不同的本科生和研究生正在参与这个项目，并在软件安全方面发展他们的兴趣和专业知识。该项目旨在开发一种准确的漏洞检测技术和一种不显眼的漏洞缓解技术。为了提高准确性，漏洞检测技术使用漏洞条件来检测漏洞，每个漏洞条件捕获一种漏洞的内在特征。为了减少可用性损失，漏洞缓解技术使用基本块和程序路径作为漏洞缓解的粒度。该项目包括三个关键任务：1)设计漏洞条件编码方案；2)开发基于模糊的技术，利用漏洞条件检测漏洞；3)开发基于代码禁用的技术，在基本块和程序路径粒度上减轻漏洞。该项目的主要贡献包括技术的设计、技术的原型实现，以及对具有现实世界漏洞的实现的评估。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Multiclass Classification of Software Vulnerabilities with Deep Learning

• DOI: 10.1145/3587716.3587738
• 发表时间: 2023-02
• 期刊: Proceedings of the 2023 15th International Conference on Machine Learning and Computing
• 作者: Crystal Contreras;Hristina Dokic;Zhen Huang;Daniela Stan Raicu;Jacob D. Furst;Roselyne B. Tchoua

Runtime Recovery for Integer Overflows

• DOI: 10.1109/icsrs56243.2022.10067783
• 发表时间: 2022-11
• 期刊: 2022 6th International Conference on System Reliability and Safety (ICSRS)
• 作者: Zhen Huang