TWC: Small: Collaborative: EVADE: Evidence-Assisted Detection and Elimination of Security Vulnerabilities

TWC：小型：协作：EVADE：证据辅助检测和消除安全漏洞

• 批准号: 1525888
• 负责人: Emery Berger
• 金额: $ 25万
• 依托单位: University of Massachusetts Amherst
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-09-01 至 2018-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1525888&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; EVADE; Evidence

Today's software remains vulnerable to attack. Despite decades of advances in areas ranging from testing to static analysis and verification, all large real-world software is deployed with errors. Because this software is either written in or underpinned by unsafe languages, errors often translate to security vulnerabilities. Although techniques exist that could prevent or limit the risk of exploits, high performance overhead blocks their adoption, leaving today's systems open to attack. To address these problems, we propose a new approach: evidence-assisted detection and elimination of security vulnerabilities (EVADE). EVADE will prevent security vulnerabilities from compromising a system . The challenge, and the goal, is to make it efficient in time and space, and to make it practical for deployment. EVADE will produce detailed reports for developers to reduce the time and effort required to fix their applications. By blocking a wide range of attacks and automatically pinpointing vulnerabilities, EVADE will dramatically increase the security of application software running on servers and desktop platforms, and it will enable a new class of post-attack security analyses.The technical approach is a novel one that spans the traditional research boundaries of runtime systems, operating systems, and virtual machines. EVADE will run unmodified applications in a coordinated framework that will perform selective forensic analysis before any output is committed, blocking exploits from compromising their host and making it possible to pinpoint errors with low overhead. The EVADE runtime system will place lightweight tripwires at random locations in memory that can be quickly validated to detect malicious behavior. Within an application, these take the form of signatures placed on the stack and in the heap, while at the hypervisor-level EVADE they may protect the system call table or other crucial data structures. The EVADE VM will divide execution into incrementally-checkpointed epochs. At each epoch boundary, before any system state is committed, the EVADE virtual machine will indicate to the EVADE runtime system which pages have been modified, letting it perform checks to identify vulnerabilities. EVADE will thus dramatically increase the security of vulnerable applications with extremely low runtime overhead, and will assist developers in locating vulnerabilities when an exploit does occur.

当今的软件仍然容易受到攻击。尽管从测试到静态分析和验证的领域数十年的进步，但所有大型现实世界软件都被错误地部署。由于该软件是用不安全语言编写的或支撑的，因此错误通常转化为安全漏洞。尽管存在可以防止或限制漏洞风险的技术，但高性能的间接费用阻止了他们的采用，使当今的系统开放了攻击。为了解决这些问题，我们提出了一种新方法：证据辅助检测和消除安全漏洞（Evade）。逃避将防止安全漏洞损害系统。挑战和目标是使其在时间和空间上有效，并使其在部署中实用。 Evade将为开发人员提供详细的报告，以减少修复其应用所需的时间和精力。通过阻止广泛的攻击并自动确定漏洞，Evade将大大提高在服务器和台式平台上运行的应用程序软件的安全性，并且它将启用一类新的攻击后安全分析。技术方法是一种新颖的方法，它跨越了一种新颖的方法，它跨越了运行时系统，操作系统和虚拟机的传统研究边界。 Evade将在协调的框架中运行未修改的应用程序，该应用程序将在进行任何输出之前执行选择性法医分析，从而阻止利用损害其主机，并可以通过低开销来确定错误。逃避运行时系统将在记忆中随机位置放置轻型TripWires，可以快速验证以检测恶意行为。在应用程序中，这些以签名的形式放在堆栈和堆上，而在管理程序级别的逃亡中，它们可以保护系统呼叫表或其他关键数据结构。 EVADE VM将执行将执行分为增量检查的时期。在每个系统状态下，在遵守任何系统状态之前，逃避虚拟机将向逃避运行时系统表示已修改的页面，让其执行检查以识别漏洞。因此，Evade将大大提高运行时开销极低的弱势应用程序的安全性，并将协助开发人员在发生利用时找到漏洞。