Tools and trade-offs for security adaptation

安全适应的工具和权衡

• 批准号: RGPIN-2015-06048
• 负责人: Anderson, Jonathan
• 金额: $ 2.11万
• 依托单位: Memorial University of Newfoundland
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2018
• 资助国家: 加拿大
• 起止时间: 2018-01-01 至 2019-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=643934
• 关键词: Tools; trade; offs; security; adaptation

From Web browsers to industrial control systems, software is increasingly subject to attacks it was not designed to defend against. As the complexity of application requirements increases, developers incorporate modules with different provenance from their own code into hostile, Internet-connected environments, introducing new attack vectors into widely-deployed systems. For instance, the open-source FFmpeg project allows users to manipulate and convert various formats of audio/video content. Users have trusted FFmpeg on their own computers for years, but when integrated into the Chrome Web browser and exposed to arbitrary content on the Internet, over a thousand previously-undetected security vulnerabilities were brought to light. Industrial control systems (ICSs) incorporate third-party software to provide modern functionality such as Web interfaces, but this software can introduce security vulnerabilities such as Heartbleed.***The risks introduced by software composition cannot be simply eliminated by purging all untrustworthy code. First, much "risky" code - such as media codecs in Web browsers - provides essential functionality and cannot be expunged, so re-writing would be required (causing extreme duplication of effort). Second, re-writing software may itself introduce vulnerabilities: a performant codec requires low-level, inherently risky code, so a new version might simply introduce different vulnerabilities than the first. For this reason, the US Department of Homeland Security advises ICS vendors to employ third-party Web servers rather than write their own: the third parties are better at sanitizing network inputs.***Modern operating systems, programming languages and - increasingly - processors provide us with tools for securing software, but most existing software cannot benefit from them without substantial re-writing. Since we have determined that we cannot purge or re-write this software, we must instead adapt it. This research program will develop tools and technique for adapting existing software to use new security features. The goal is to turn current asymmetries on their heads: whereas today a minority of applications are protected, we will seek to enable the majority to use modern security features to protect users. This will give defenders, rather than attackers, the position of natural superiority and give users a chance at protecting their data well by default.**

从Web浏览器到工业控制系统，软件越来越多地受到它原本无法防御的攻击。随着应用程序需求的复杂性增加，开发人员将来自自己代码的不同来源的模块合并到恶意的互联网连接环境中，将新的攻击向量引入广泛部署的系统中。例如，开源的FFmpeg项目允许用户操作和转换各种格式的音频/视频内容。多年来，用户一直在自己的计算机上信任FFmpeg，但当集成到Chrome Web浏览器并暴露于互联网上的任意内容时，一千多个以前未被发现的安全漏洞被曝光。工业控制系统（ICS）采用第三方软件来提供现代功能，如Web界面，但该软件可能会引入Heartbleed等安全漏洞。软件组合引入的风险不能简单地通过清除所有不可信的代码来消除。首先，许多“危险”的代码--比如Web浏览器中的媒体编解码器--提供了基本的功能，并且不能被删除，因此需要重写（导致极度重复的工作）。其次，重写软件本身可能会引入漏洞：一个高性能的编解码器需要低级别的、固有风险的代码，因此新版本可能会引入与第一个版本不同的漏洞。出于这个原因，美国国土安全部建议ICS供应商使用第三方Web服务器，而不是自己编写：第三方更擅长清理网络输入。现代操作系统、编程语言和越来越多的处理器为我们提供了保护软件的工具，但大多数现有软件如果不进行大量重写，就无法从中受益。由于我们已经确定我们不能清除或重写这个软件，我们必须调整它。这个研究计划将开发工具和技术，以适应现有的软件使用新的安全功能。我们的目标是扭转目前的不对称：虽然今天只有少数应用程序受到保护，但我们将寻求使大多数应用程序能够使用现代安全功能来保护用户。这将使防御者而不是攻击者获得天然的优势地位，并使用户有机会在默认情况下很好地保护他们的数据。