Collaborative Reseach: Type Qualifiers for Software Security

协作研究：软件安全的类型限定符

• 批准号: 0430378
• 负责人: Alexander Aiken
• 金额: --
• 依托单位: Stanford University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2004
• 资助国家: 美国
• 起止时间: 2004-09-15 至 2010-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0430378&HistoricalAwards=false
• 关键词: Collaborative; Reseach; Type; Qualifiers; Software

0430378PI Alex AikenCollaborative Research: Type Qualifiers for Software Security0430118 Foster, Jeffrey 0430585 Wagner, DavidThis research aims to develop tools and techniques to find and eliminate security vulnerabilities in software. The approach is based on static analysis, which by analyzing source code can model all possible executions of a program. The distinguishing feature of the project is to show that very large applications are free from classes of security vulnerabilities. Thus, the focus is not just in finding security holes in software, but in verifying their absence. Previous experience has shown that simple, approximate tools do not find all oreven nearly all security vulnerabilities; the higher assurance given by verification is needed. The experimental goal is to apply these techniques to the Linux kernel, a security-critical application withmillions of lines of code.The main technical approach being investigated is based on user-defined type qualifiers that refine the standard types of the programming language. Previous work has shown that type qualifiers are a natural and useful way to explicitly specify desired security properties that are normally only implicit in a program. In much the same way that a correctly typed program cannot have run-time type errors, having consistent type qualifiers throughout a program implies that the property expressed by those qualifiers must hold in everyexecution. The significance of this work is that, if successful, it will improve the understanding of how to perform sophisticated static analysis of very large programs. The broader impact will be in discovering andrepairing new security vulnerabilities in widely-used software infrastructure and in verifying that some of that infrastructure is free from at least some security flaws.

0430378PI ALEX AIKENCOLLABORAVITAL研究：软件安全性的键入预选赛0430118 Foster，Jeffrey 0430585 Wagner，Davidthis Research旨在开发工具和技术以查找和消除软件中的安全性漏洞。 该方法基于静态分析，通过分析源代码可以建模程序的所有可能执行。 该项目的显着特征是表明，很大的应用程序没有安全漏洞类别。 因此，重点不仅在于在软件中找到安全孔，还在于验证其缺席。 以前的经验表明，简单的，近似工具几乎没有发现几乎所有安全漏洞。需要通过验证给出的更高的保证。 实验目标是将这些技术应用于Linux内核，这是一项具有数百万个代码行的关键安全应用程序。研究的主要技术方法基于使用用户定义的类型预选赛，可完善编程语言的标准类型。 先前的工作表明，类型的预选赛是一种自然而有用的方法，可以显式指定通常仅在程序中隐含的所需的安全属性。 与正确键入的程序不能具有运行时类型错误的方式，在整个程序中具有一致的类型预选赛，这意味着这些资格表达的属性必须在EverySexuction中保留。 这项工作的重要性是，如果成功，它将提高人们对如何对非常大的程序进行复杂的静态分析的理解。 在广泛使用的软件基础架构中发现安装新的安全漏洞，并验证某些基础架构是否至少没有某些安全缺陷，这将是更广泛的影响。