Tools and trade-offs for security adaptation

安全适应的工具和权衡

• 批准号: RGPIN-2015-06048
• 负责人: Anderson, Jonathan
• 金额: $ 2.11万
• 依托单位: Memorial University of Newfoundland
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2019
• 资助国家: 加拿大
• 起止时间: 2019-01-01 至 2020-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=683292
• 关键词: Tools; trade; offs; security; adaptation

From Web browsers to industrial control systems, software is increasingly subject to attacks it was not designed to defend against. As the complexity of application requirements increases, developers incorporate modules with different provenance from their own code into hostile, Internet-connected environments, introducing new attack vectors into widely-deployed systems. For instance, the open-source FFmpeg project allows users to manipulate and convert various formats of audio/video content. Users have trusted FFmpeg on their own computers for years, but when integrated into the Chrome Web browser and exposed to arbitrary content on the Internet, over a thousand previously-undetected security vulnerabilities were brought to light. Industrial control systems (ICSs) incorporate third-party software to provide modern functionality such as Web interfaces, but this software can introduce security vulnerabilities such as Heartbleed.***The risks introduced by software composition cannot be simply eliminated by purging all untrustworthy code. First, much "risky" code - such as media codecs in Web browsers - provides essential functionality and cannot be expunged, so re-writing would be required (causing extreme duplication of effort). Second, re-writing software may itself introduce vulnerabilities: a performant codec requires low-level, inherently risky code, so a new version might simply introduce different vulnerabilities than the first. For this reason, the US Department of Homeland Security advises ICS vendors to employ third-party Web servers rather than write their own: the third parties are better at sanitizing network inputs.***Modern operating systems, programming languages and - increasingly - processors provide us with tools for securing software, but most existing software cannot benefit from them without substantial re-writing. Since we have determined that we cannot purge or re-write this software, we must instead adapt it. This research program will develop tools and technique for adapting existing software to use new security features. The goal is to turn current asymmetries on their heads: whereas today a minority of applications are protected, we will seek to enable the majority to use modern security features to protect users. This will give defenders, rather than attackers, the position of natural superiority and give users a chance at protecting their data well by default.**

从网络浏览器到工业控制系统，软件越来越容易受到原本设计不能防御的攻击。随着应用程序要求的复杂性增加，开发人员将来自自己代码的不同来源的模块合并到恶意的互联网连接环境中，将新的攻击载体引入广泛部署的系统。例如，开源的FFmpeg项目允许用户操作和转换各种格式的音频/视频内容。多年来，用户一直在自己的电脑上信任FFmpeg，但当集成到Chrome Web浏览器并暴露于互联网上的任意内容时，1000多个以前未被检测到的安全漏洞被曝光。工业控制系统(ICSS)结合了第三方软件以提供Web界面等现代功能，但该软件可能会引入心脏出血等安全漏洞。*软件组合带来的风险不能通过清除所有不可信的代码来简单地消除。首先，许多“有风险的”代码--比如Web浏览器中的媒体编解码器--提供了基本的功能，并且无法删除，因此需要重新编写代码(导致工作极度重复)。其次，重写软件本身可能会带来漏洞：性能良好的编解码器需要低级别的固有风险代码，因此新版本可能只会引入与第一个版本不同的漏洞。出于这个原因，美国国土安全部建议ICS供应商使用第三方Web服务器，而不是自己编写：第三方更擅长清理网络输入。*现代操作系统、编程语言以及越来越多的处理器为我们提供了保护软件的工具，但如果不进行实质性的重写，大多数现有软件都无法从中受益。既然我们已经确定，我们不能完全清除或重写这个软件，我们就必须改编它。这项研究计划将开发工具和技术，使现有软件适应使用新的安全功能。我们的目标是扭转当前的不对称性：尽管目前有少数应用程序受到保护，但我们将寻求使大多数应用程序能够使用现代安全功能来保护用户。这将使防御者而不是攻击者处于天然的优势地位，并让用户有机会在默认情况下很好地保护自己的数据。**