SaTC: CORE: Small: Regulating and Leveraging Types for Security

SaTC：核心：小型：监管和利用安全类型

• 批准号: 2247434
• 负责人: Kangjie Lu
• 金额: $ 59.93万
• 依托单位: University of Minnesota-Twin Cities
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-08-01 至 2026-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2247434&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Regulating; Leveraging

Data elements are defined with types during software programming. A type not only specifies the semantics and characteristics of data elements, but also constrains the program operations and behaviors against data elements. Such type information is valuable for program analysis, and type analysis does not require complicated data-flow analysis. However, the type system in the widely used system programming languages (C/C++) has two fundamental problems. First, general types are prevalent; they obscure the specific data types and result in imprecise type-based analysis results. Second, type errors and typecasting are common; directly using erroneous types for defense mechanisms would lead to runtime errors which are considered unacceptable. This project aims to address the problems and use types for various security applications. The research results will be integrated into education to improve students' awareness of type errors, and help them capture type errors and harden their code.This project aims to address fundamental problems with types in type-unsafe programming languages like C/C++ and then use the improved types for various security applications. The project has three research thrusts. First, the project will regulate types—specifizing the prevalent general types and statically detecting type-confusion errors. It will employ selective, path-based, and function-grained typecasting analysis to improve scalability and precision. The second research thrust will then develop new techniques that leverageregulated types to significantly improve the precision of several foundational analysis techniques for security. With the regulated types and precise analysis techniques, the last research thrust will build effective and practical defense mechanisms such as type-based data-/control-flow integrity. The techniques will be implemented as LLVM passes, so that they can be easily used as compiler plugins.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

数据元素是在软件编程期间使用类型定义的。类型不仅规定了数据元素的语义和特征，而且约束了程序对数据元素的操作和行为。这种类型信息对于程序分析很有价值，并且类型分析不需要复杂的数据流分析。然而，广泛使用的系统编程语言(C/C++)中的类型系统存在两个基本问题。首先，通用类型很普遍；它们模糊了特定的数据类型，导致基于类型的分析结果不精确。其次，类型错误和类型转换很常见；直接使用错误类型作为防御机制会导致运行时错误，这被认为是不可接受的。该项目旨在解决各种安全应用程序的问题和使用类型。研究成果将被整合到教育中，以提高学生对类型错误的认识，并帮助他们捕获类型错误并强化代码。该项目旨在解决C/C++等类型不安全编程语言中的类型基本问题，并将改进后的类型用于各种安全应用。该项目有三个研究推动力。首先，该项目将规范类型--指定流行的通用类型，并静态检测类型混淆错误。它将使用选择性的、基于路径的和功能粒度的类型转换分析，以提高可伸缩性和精度。第二个研究重点将开发利用监管类型的新技术，以显着提高几种基本安全分析技术的精度。通过规范的类型和精确的分析技术，最终的研究重点将建立有效和实用的防御机制，如基于类型的数据/控制流完整性。这些技术将在LLVM通过后实施，因此它们可以很容易地用作编译器插件。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。