Automatically Detecting and Surviving Exploitable Compiler Bugs

自动检测并避免可利用的编译器错误

基本信息

  • 批准号:
    EP/R011605/1
  • 负责人:
    Cristian Cadar
  • 金额:
    $ 85.64万
  • 依托单位:
    Imperial College London
  • 依托单位国家:
    英国
  • 项目类别:
    Research Grant
  • 财政年份:
    2018
  • 资助国家:
    英国
  • 起止时间:
    2018 至 无数据
  • 项目状态:
    已结题

项目摘要

The focus of this proposal is on the detection and survival of wrong code compiler defects, which we argue present a cyber-security threat that has been largely ignored to date. First, incorrectly compiled code can introduce exploitable vulnerabilities that are not visible at the source code level, and thus cannot be detected by source-level static analysers. Second, incorrectly compiled code can undermine the reliability of the application, which can have dramatic repercussions in the context of safety-critical systems. Third, wrong code compiler defects can also be the target of some of the most insidious security attacks. A crafty attacker posing as an open source developer can introduce a compiler-bug-based backdoor into a security-critical application by adding a patch that looks perfectly innocent but which, when compiled with a certain compiler, yields binary code that allows the attacker to compromise the software.In this project, we aim to explore automated techniques that can detect and prevent such problems. In particular, we plan to investigate techniques for automatically finding compiler-induced vulnerabilities in real software, approaches for understanding the extent to which an attacker could maliciously modify an application to create a compiler-induced vulnerability, and methods for preventing against such vulnerabilities at runtime.
该提案的重点是错误代码编译器缺陷的检测和生存,我们认为这是迄今为止在很大程度上被忽视的网络安全威胁。首先,错误编译的代码可能会引入可利用的漏洞,这些漏洞在源代码级别不可见,因此无法被源代码级别的静态分析器检测到。其次,错误编译的代码会破坏应用程序的可靠性,这在安全关键系统的上下文中会产生巨大的影响。第三,错误的代码编译器缺陷也可能成为某些最阴险的安全攻击的目标。一个狡猾的攻击者冒充一个开源开发人员可以引入一个编译器错误为基础的后门程序到一个安全关键的应用程序通过添加一个补丁,看起来完全无辜的,但当与特定的编译器编译,产生的二进制代码,允许攻击者危及软件。在这个项目中,我们的目标是探索自动化技术,可以检测和防止这样的问题。特别是,我们计划调查的技术,自动发现编译器引起的漏洞在真实的软件,了解攻击者可以恶意修改应用程序,以创建一个编译器引起的漏洞的程度的方法,并在运行时防止这种漏洞的方法。

项目成果

期刊论文数量(10)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
Fuzzing: Challenges and Reflections
  • DOI:
    10.1109/ms.2020.3016773
  • 发表时间:
    2021-05-01
  • 期刊:
    IEEE SOFTWARE
  • 影响因子:
    3.3
  • 作者:
    Bohme, Marcel;Cadar, Cristian;Roychoudhury, Abhik
  • 通讯作者:
    Roychoudhury, Abhik
Fine-Grain Memory Object Representation in Symbolic Execution
符号执行中的细粒度内存对象表示
  • DOI:
    10.1109/ase.2019.00089
  • 发表时间:
    2019
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Nowack M
  • 通讯作者:
    Nowack M
Artifact of GrayC: Greybox Fuzzing of Compilers and Analysers for C
GrayC 的神器:C 编译器和分析器的灰盒模糊测试
  • DOI:
    10.5281/zenodo.7948109
  • 发表时间:
    2023
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Even-Mendoza K
  • 通讯作者:
    Even-Mendoza K
Closer to the edge
离边缘更近
  • DOI:
    10.1145/3324884.3418933
  • 发表时间:
    2020
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Even-Mendoza K
  • 通讯作者:
    Even-Mendoza K
Test-case reduction and deduplication almost for free with transformation-based compiler testing
{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
    {{ item.journal_name }}
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

数据更新时间:{{ journalArticles.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ monograph.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ sciAawards.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ conferencePapers.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ patent.updateTime }}

Cristian Cadar其他文献

Proceedings of the 39th International Conference on Software Engineering: New Ideas and Emerging Results Track
第 39 届国际软件工程会议论文集:新思想和新成果轨道
A Systematic Impact Study for Fuzzer-Found Compiler Bugs Michaël Marcozzi
针对模糊器发现的编译器错误的系统影响研究 Michaël Marcozzi
  • DOI:
  • 发表时间:
    2019
  • 期刊:
  • 影响因子:
    0
  • 作者:
    M. Marcozzi;Qiyi Tang;Alastair F. Donaldson;Cristian Cadar
  • 通讯作者:
    Cristian Cadar
Shadow of a Doubt: Testing for Divergences between Software Versions
怀疑的阴影:测试软件版本之间的差异
Closer to the Edge: Testing Compilers More Thoroughly by Being Less Conservative About Undefined Behaviour
更接近边缘:通过对未定义行为不那么保守来更彻底地测试编译器
Docovery: toward generic automatic document recovery
Docovery:走向通用自动文档恢复

Cristian Cadar的其他文献

{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
    {{ item.journal_name }}
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}
立即体验

{{ truncateString('Cristian Cadar', 18)}}的其他基金

Automated Patch Impact Analysis (PATCH)
自动补丁影响分析 (PATCH)
  • 批准号:
    EP/X040836/1
  • 财政年份:
    2023
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Research Grant
Improving Symbolic Execution via Targeted Program Transformations
通过有针对性的程序转换改进符号执行
  • 批准号:
    EP/N007166/1
  • 财政年份:
    2016
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Research Grant
Multi-version Execution Techniques for Increasing the Reliability and Security of Evolving Software
用于提高不断发展的软件的可靠性和安全性的多版本执行技术
  • 批准号:
    EP/L002795/1
  • 财政年份:
    2014
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Fellowship
Testing, Verifying, and Generating Software Patches Using Dynamic Symbolic Execution
使用动态符号执行测试、验证和生成软件补丁
  • 批准号:
    EP/J00636X/1
  • 财政年份:
    2012
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Research Grant

相似海外基金

Statistical Foundations for Detecting Anomalous Structure in Stream Settings (DASS)
检测流设置中的异常结构的统计基础 (DASS)
  • 批准号:
    EP/Z531327/1
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Research Grant
Collaborative Research: NSF-BSF: SaTC: CORE: Small: Detecting malware with machine learning models efficiently and reliably
协作研究:NSF-BSF:SaTC:核心:小型:利用机器学习模型高效可靠地检测恶意软件
  • 批准号:
    2338301
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Continuing Grant
CAREER: Detecting warming impacts on carbon accumulation across a climate transect of Michigan peatlands
职业:检测变暖对密歇根泥炭地气候断面碳积累的影响
  • 批准号:
    2338357
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Continuing Grant
In-situ Imaging and Detecting Electron Transfer for Single Site Reaction
单位点反应的原位成像和电子转移检测
  • 批准号:
    DE240100497
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Discovery Early Career Researcher Award
Development of Efficient Black Hole Spectroscopy and a Desktop Cluster for Detecting Compact Binary Mergers
开发高效黑洞光谱和用于检测紧凑二元合并的桌面集群
  • 批准号:
    2412341
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Continuing Grant
Collaborative Research: NSF-BSF: SaTC: CORE: Small: Detecting malware with machine learning models efficiently and reliably
协作研究:NSF-BSF:SaTC:核心:小型:利用机器学习模型高效可靠地检测恶意软件
  • 批准号:
    2338302
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Continuing Grant
Detecting and deciphering extinction dynamics under environmental change
检测和破译环境变化下的灭绝动态
  • 批准号:
    DP240102019
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Discovery Projects
CAREER: Detecting Quantum Signatures in Nonadiabatic Molecular Dynamics
职业:检测非绝热分子动力学中的量子特征
  • 批准号:
    2340180
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Continuing Grant
Open-world computer vision by detecting and tracking hierarchical objects
通过检测和跟踪分层对象来实现开放世界计算机视觉
  • 批准号:
    DE240100967
  • 财政年份:
    2024
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Discovery Early Career Researcher Award
Strategies for Detecting Fibrin Interference
检测纤维蛋白干扰的策略
  • 批准号:
    23K06851
  • 财政年份:
    2023
  • 资助金额:
    $ 85.64万
  • 项目类别:
    Grant-in-Aid for Scientific Research (C)
{{ showInfoDetail.title }}

作者:{{ showInfoDetail.author }}

知道了