SaTC: CORE: Medium: Securing WebAssembly using Static Analysis and Binary Instrumentation
SaTC:核心:中:使用静态分析和二进制工具保护 WebAssembly
基本信息
- 批准号:2329540
- 负责人:
- 金额:$ 120万
- 依托单位:
- 依托单位国家:美国
- 项目类别:Continuing Grant
- 财政年份:2023
- 资助国家:美国
- 起止时间:2023-10-01 至 2026-09-30
- 项目状态:未结题
- 来源:
- 关键词:
项目摘要
WebAssembly is a web technology that has rapidly been gaining in popularity. It is a low-level bytecode format that was introduced in 2017, and was originally designed for computationally-intensive tasks in the browser such as cryptography and games. Today, as envisioned, WebAssembly is supported by all modern browsers, and heavily used by applications. Recently, a number of critical security concerns in WebAssembly binaries have been identified for which no adequate solutions exist. This project is concerned with the development of WASSY, a novel system and a comprehensive suite of tools for detecting and mitigating security vulnerabilities in applications that rely on WebAssembly. WASSY will rely on a combination of static analysis techniques, which analyze WebAssembly binaries without executing them, to detect likely vulnerabilities, and binary instrumentation techniques that rewrite a WebAssembly binary to mitigate potential vulnerabilities. The developed techniques will be evaluated on a suite of applications that rely on WebAssembly binaries and that contain vulnerabilities. The research will benefit users of web applications by reducing the number of vulnerabilities that can be exploited, thereby reducing the potential for loss of data, and associated financial and legal exposure. Results of the project will be disseminated via publications in scientific venues and through release of open-source software and data sets. Societal benefits will follow from improvements in web software security that is enabled by the adoption of the developed techniques. The developed static analysis techniques will be designed to accommodate several characteristics that are specific to WebAssembly such as its stack-based representation, lack of names and structure, lack of type information, and index-based access to linear memory and function tables. A family of flow-insensitive, flow-sensitive, and context-sensitive algorithms will be developed accordingly, using abstractions suitable to the domain, and designed to account for interaction with JavaScript code that executes in the host environment. The developed binary instrumentation techniques will be designed to counteract vulnerabilities that may arise in web applications that rely on WebAssembly binaries, such as injection vulnerabilities and cross-site scripting vulnerabilities. To this end, binary instrumentation will be used to implement suitable variations on classic security concepts such as stack canaries, memory segmentation, and address space randomization.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
WebAssembly是一种正在迅速普及的Web技术。它是2017年推出的一种低级字节码格式,最初是为浏览器中的计算密集型任务(如加密和游戏)而设计的。今天,正如所设想的那样,WebAssembly被所有现代浏览器支持,并被应用程序大量使用。最近,已经确定了WebAssembly二进制文件中的一些关键安全问题,这些问题没有适当的解决方案。该项目关注瓦西的开发,WASSY是一个新颖的系统和一套全面的工具,用于检测和减轻依赖WebAssembly的应用程序中的安全漏洞。瓦西将依赖于静态分析技术和二进制插装技术的组合,静态分析技术分析WebAssembly二进制文件而不执行它们,以检测可能的漏洞,二进制插装技术重写WebAssembly二进制文件以减轻潜在的漏洞。 开发的技术将在一套依赖于WebAssembly二进制文件并包含漏洞的应用程序上进行评估。这项研究将通过减少可被利用的漏洞数量,从而减少数据丢失的可能性以及相关的财务和法律的风险,使网络应用程序的用户受益。该项目的成果将通过科学场所的出版物和开放源码软件和数据集的发布进行传播。通过采用所开发的技术,网络软件安全性的改善将带来社会效益。开发的静态分析技术将被设计为适应WebAssembly特有的几个特征,例如基于堆栈的表示,缺乏名称和结构,缺乏类型信息,以及基于索引的线性内存和函数表访问。相应地,将开发一系列流不敏感、流敏感和上下文敏感的算法,使用适合于该领域的抽象,并设计为考虑与在主机环境中执行的JavaScript代码的交互。开发的二进制插装技术将被设计用于抵消依赖于WebAssembly二进制文件的Web应用程序中可能出现的漏洞,例如注入漏洞和跨站点脚本漏洞。为此,二进制插装将用于实现经典安全概念的适当变体,如堆栈金丝雀、内存分段和地址空间随机化。该奖项反映了NSF的法定使命,并通过使用基金会的智力价值和更广泛的影响审查标准进行评估,被认为值得支持。
项目成果
期刊论文数量(0)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
数据更新时间:{{ journalArticles.updateTime }}
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
数据更新时间:{{ journalArticles.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ monograph.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ sciAawards.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ conferencePapers.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ patent.updateTime }}
Frank Tip其他文献
LLMorpheus: Mutation Testing using Large Language Models
LLMorpheus:使用大型语言模型进行突变测试
- DOI:
10.48550/arxiv.2404.09952 - 发表时间:
2024 - 期刊:
- 影响因子:0
- 作者:
Frank Tip;Jonathan Bell;Max Schäfer - 通讯作者:
Max Schäfer
Frank Tip的其他文献
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
{{ truncateString('Frank Tip', 18)}}的其他基金
SHF: Small: Automated Unit Test Generation using Large Language Models
SHF:小型:使用大型语言模型自动生成单元测试
- 批准号:
2307742 - 财政年份:2023
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
SHF: Small: Testing and Profiling Asynchronous Software
SHF:小型:测试和分析异步软件
- 批准号:
1907727 - 财政年份:2019
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
NSF Student Travel Grant for 2018 European Conference on Object-Oriented Programming/International Symposium on Software Testing and Analysis (ECOOP/ISSTA 2018)
NSF 学生旅费资助 2018 年欧洲面向对象编程会议/软件测试与分析国际研讨会 (ECOOP/ISSTA 2018)
- 批准号:
1745926 - 财政年份:2017
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
SHF: Small: Automated Detection and Repair of Errors in Event-Driven Applications
SHF:小型:自动检测和修复事件驱动应用程序中的错误
- 批准号:
1715153 - 财政年份:2017
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
相似国自然基金
胆固醇羟化酶CH25H非酶活依赖性促进乙型肝炎病毒蛋白Core及Pre-core降解的分子机制研究
- 批准号:82371765
- 批准年份:2023
- 资助金额:50 万元
- 项目类别:面上项目
锕系元素5f-in-core的GTH赝势和基组的开发
- 批准号:22303037
- 批准年份:2023
- 资助金额:30 万元
- 项目类别:青年科学基金项目
基于合成致死策略搭建Core-matched前药共组装体克服肿瘤耐药的机制研究
- 批准号:
- 批准年份:2022
- 资助金额:52 万元
- 项目类别:
鼠伤寒沙门氏菌LPS core经由CD209/SphK1促进树突状细胞迁移加重炎症性肠病的机制研究
- 批准号:
- 批准年份:2022
- 资助金额:30 万元
- 项目类别:青年科学基金项目
基于外泌体精准调控的“核-壳”(core-shell)同步血管化骨组织工程策略的应用与机制探讨
- 批准号:
- 批准年份:2020
- 资助金额:55 万元
- 项目类别:
肌营养不良蛋白聚糖Core M3型甘露糖肽的精确制备及功能探索
- 批准号:92053110
- 批准年份:2020
- 资助金额:70.0 万元
- 项目类别:重大研究计划
Core-1-O型聚糖黏蛋白缺陷诱导胃炎发生并介导慢性胃炎向胃癌转化的分子机制研究
- 批准号:81902805
- 批准年份:2019
- 资助金额:20.5 万元
- 项目类别:青年科学基金项目
原始地球增生晚期的Core-merging大碰撞事件:地核增生、核幔平衡与核幔边界结构的新认识
- 批准号:41973063
- 批准年份:2019
- 资助金额:65.0 万元
- 项目类别:面上项目
CORDEX-CORE区域气候模拟与预估研讨会
- 批准号:41981240365
- 批准年份:2019
- 资助金额:1.5 万元
- 项目类别:国际(地区)合作与交流项目
RBM38通过协助Pol-ε结合、招募core调控HBV复制
- 批准号:31900138
- 批准年份:2019
- 资助金额:24.0 万元
- 项目类别:青年科学基金项目
相似海外基金
Collaborative Research: SaTC: CORE: Medium: Differentially Private SQL with flexible privacy modeling, machine-checked system design, and accuracy optimization
协作研究:SaTC:核心:中:具有灵活隐私建模、机器检查系统设计和准确性优化的差异化私有 SQL
- 批准号:
2317232 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Using Intelligent Conversational Agents to Empower Adolescents to be Resilient Against Cybergrooming
合作研究:SaTC:核心:中:使用智能会话代理使青少年能够抵御网络诱骗
- 批准号:
2330940 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Differentially Private SQL with flexible privacy modeling, machine-checked system design, and accuracy optimization
协作研究:SaTC:核心:中:具有灵活隐私建模、机器检查系统设计和准确性优化的差异化私有 SQL
- 批准号:
2317233 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
SaTC: CORE: Medium: Testing the causal influence of social media on well-being and animosity
SaTC:核心:中:测试社交媒体对幸福感和敌意的因果影响
- 批准号:
2334148 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
Collaborative Research: SaTC: CORE: Medium: Using Intelligent Conversational Agents to Empower Adolescents to be Resilient Against Cybergrooming
合作研究:SaTC:核心:中:使用智能会话代理使青少年能够抵御网络诱骗
- 批准号:
2330941 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
SaTC: CORE: Medium: Increasing user autonomy and advertiser and platform responsibility in online advertising
SaTC:核心:中:增加在线广告中的用户自主权以及广告商和平台责任
- 批准号:
2318290 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
SaTC: CORE: Medium: Collaborative: Hardening Off-the-Shelf Software Against Side Channel Attacks
SaTC:核心:媒介:协作:强化现成软件以抵御侧通道攻击
- 批准号:
2425665 - 财政年份:2024
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Understanding the Impact of Privacy Interventions on the Online Publishing Ecosystem
协作研究:SaTC:核心:媒介:了解隐私干预对在线出版生态系统的影响
- 批准号:
2237329 - 财政年份:2023
- 资助金额:
$ 120万 - 项目类别:
Standard Grant
Collaborative Research: SaTC: CORE: Medium: Securing Interactions between Driver and Vehicle Using Batteries
合作研究:SaTC:核心:中:使用电池确保驾驶员和车辆之间的交互安全
- 批准号:
2245224 - 财政年份:2023
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant
Collaborative Research: SaTC: CORE: Medium: Understanding and Combatting Impersonation Attacks and Data Leakage in Online Advertising
协作研究:SaTC:核心:媒介:理解和打击在线广告中的冒充攻击和数据泄露
- 批准号:
2247516 - 财政年份:2023
- 资助金额:
$ 120万 - 项目类别:
Continuing Grant