TWC: Medium: Collaborative: Retrofitting Software for Defense-in-Depth

TWC：中：协作：改进纵深防御软件

• 批准号: 1408826
• 负责人: Gang Tan
• 金额: $ 30万
• 依托单位: Lehigh University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2016-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1408826&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Retrofitting; Software

The computer security community has long advocated the concept of building multiple layers of defense to protect a system. Unfortunately, it has been difficult to realize this vision in the practice of software development, and software often ships with inadequate defenses, typically developed in an ad hoc fashion.Developers face a number of challenges when protecting a software system with multiple layers of defense. They lack holistic frameworks in which to express policies and mechanisms for different software layers, automated tools to add these defenses, and tools to prove that software enhanced with defenses has an advertised level of assurance.This project develops new techniques to retrofit software for defense in depth. It takes a comprehensive view of the problem, with an emphasis on automated, interactive tools that developers can use to identify site-level security goals, explore the design space of adding security mechanisms, and retrofit legacy code to enforce security policies in a manner that can be machine-verified for assurance. The project develops theory and tools for formal policy language design and validation, static and dynamic code analyses, interactive tools for developers to explore the design space of security, functionality and performance tradeoffs, and methods to formally verify the correctness of program transformations to introduce defenses such as authorization, attacker containment, and auditing mechanisms.The broader impact stems from the improved security of systems and the reduced cost of achieving better security, also education activities in the form of summer schools for graduate, undergraduate and high-school students. The tools developed will be released to the public domain, benefiting software developers in the field.

长期以来，计算机安全界一直主张建立多层防御以保护系统的概念。 不幸的是，很难在软件开发实践中意识到这一愿景，而软件通常会以不足的防御措施发货，通常以临时方式开发。开发人员在保护具有多层防御层的软件系统时面临许多挑战。他们缺乏向不同软件层表达策略和机制的整体框架，添加这些防御工具的自动化工具以及证明软件增强的工具具有广告的保证水平。该项目开发了对深度防御的改造软件的新技术。它可以全面了解该问题，重点是开发人员可以用来识别站点级安全目标的自动交互式工具，探索添加安全机制的设计空间以及改进旧版代码以以机器验证的方式执行安全策略以确保保证。该项目为形式的政策语言设计和验证开发理论和工具，进行静态和动态代码分析，开发人员的交互式工具，探索安全性，功能性和绩效折衷的设计空间，以及正式验证程序转换的正确性，以介绍授权，攻击者遏制和审核机制的改进的较高的安全性，使得越来越多的夏季安全性，以及改进的安全性。毕业生，本科和高中生的学校。开发的工具将发布给公共领域，使该领域的软件开发人员受益。