Collaborative Research: SaTC: CORE: Medium: Audacity of Exploration: Toward Automated Discovery of Security Flaws in Networked Systems through Intelligent Documentation Analysis

协作研究：SaTC：核心：中：大胆探索：通过智能文档分析自动发现网络系统中的安全缺陷

• 批准号: 2154138
• 负责人: Xiaozhong Liu
• 金额: $ 34.93万
• 依托单位: Worcester Polytechnic Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-07-01 至 2026-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2154138&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Specifications, developer guides and other documentations of networked systems (e.g., Internet applications, carrier networks) describe how these systems are designed, used and operate. These documentations are important sources for understanding security weaknesses in these systems and have not been fully leveraged due to the difficulty in analyzing their imprecise, convoluted and ambiguous content. Project Audacity (AUtomated Documentation Analysis for seCurITY) aims at addressing the challenge for security weakness discovery and remedy. Its novelties are the development of innovative technologies to enable automated document analysis for security protection. The project’s broader significance and importance include transferring the technologies to industry, involving members from under-represented groups in the project and disseminating outcomes through K9-12 outreach and community services. The project focuses on mitigating security risks of both design flaws and implementation vulnerabilities in networked systems, through automatically recovering security-related information (e.g., models, security properties) and confusing descriptions (e.g., inconsistent statements) from documentations to evaluate their security implications (e.g., verification of system designs, validation of predicted weaknesses on system implementations). This purpose is served by novel techniques based upon machine learning and natural language processing for analyzing different types of documentations, such as those for payment, single-sign-on, and for the 3rd Generation Partnership Project or 3GPP. Examples of such techniques include sentiment analysis for finding the statements related to security requirements and a similarity and differential analysis that compares different statements about similar security-critical operations to capture inconsistency. Furthermore, the project studies emerging techniques such as service syndication through comparing the documentations of different services and the 3GPP ecosystem from analyzing its public text data for risk measurement, identification and mitigation. This work complements program analysis to help enhance the security quality of networked systems, contributing to a better procedure and ecosystem that make security-critical documentations more precise, more consistent and less error-prone.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络系统（如Internet应用程序、载波网络）的规范、开发指南和其他文档描述了这些系统是如何设计、使用和操作的。这些文档是了解这些系统中的安全弱点的重要来源，但由于难以分析其不精确、复杂和模糊的内容，这些文档尚未得到充分利用。项目Audacity（安全自动化文档分析）的目标是处理安全弱点发现和补救的挑战。它的新颖之处在于开发了创新技术，以实现安全保护的自动文档分析。该项目更广泛的意义和重要性包括将技术转让给工业界，让项目中代表性不足的群体的成员参与，并通过K9-12外展和社区服务传播成果。该项目侧重于减轻网络系统中设计缺陷和实现漏洞的安全风险，通过自动从文档中恢复与安全相关的信息（例如，模型，安全属性）和令人困惑的描述（例如，不一致的陈述）来评估其安全含义（例如，系统设计的验证，系统实现上预测的弱点的验证）。基于机器学习和自然语言处理的新技术可以用于分析不同类型的文档，例如用于支付、单点登录和第三代合作伙伴项目（3GPP）的文档，从而实现这一目的。此类技术的示例包括用于查找与安全需求相关的语句的情感分析，以及用于比较关于类似安全关键操作的不同语句以捕获不一致性的相似性和差异分析。此外，该项目还研究了新兴技术，如服务联合，通过比较不同服务的文档和3GPP生态系统，分析其公共文本数据，以进行风险测量、识别和缓解。这项工作补充了程序分析，有助于提高网络系统的安全质量，有助于建立更好的程序和生态系统，使安全关键文件更精确、更一致、更少出错。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。