TWC: Medium: Toward Trustworthy Mutable Replay for Security Patches

TWC：中：实现安全补丁的可信赖可变重放

• 批准号: 1563555
• 负责人: Gail Kaiser
• 金额: $ 120万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1563555&HistoricalAwards=false
• 关键词: TWC; Medium; Toward; Trustworthy; Mutable

Society is increasingly reliant on software, but deployed software contains security vulnerabilities and other bugs that can threaten privacy, property and even human lives. When a security vulnerability or critical error is discovered, a software patch is issued to attempt to fix the problem, but patches themselves can be incorrect, inadequate, and break necessarily functionality. This project investigates the full workflow for the developer to rapidly diagnose the root cause of the vulnerability or error, for the developer to test that a prospective patch indeed completely removes the defect, and for users to check the issued patch on their own configurations and workloads before adopting the patch. This project explores the use of mutable replay to help reproduce, diagnose, and fix software bugs. A low-overhead recorder records the execution of software in case a failure or exploit occurs, allowing the developer to replay the recorded log to reproduce the problem. Mutable replay allows logs recorded with the buggy version to be replayed after the modest code changes typical of critical patches to show that patches work correctly to resolve detected problems. This project leverages semantic information readily available to the developer to conduct well-understood static and dynamic analyses to correctly transform the recorded log to enable mutable replay. The results of this research will benefit society and individuals by simplifying and hastening both generation and validation of patches, ultimately making software more reliable and secure.

社会越来越依赖软件，但是部署的软件包含安全漏洞和其他可能威胁隐私，财产甚至人类生命的错误。 当发现安全漏洞或关键错误时，会发出软件补丁以试图解决该问题，但是补丁本身可能是不正确的，不足的，并且不一定是功能。 该项目调查了开发人员的完整工作流程，以迅速诊断漏洞或错误的根本原因，以使开发人员测试预期的补丁确实完全消除了缺陷，并且用户可以通过自己的配置和工作负载检查发行的补丁程序在采用补丁之前。 该项目探讨了使用可变重放的使用来帮助复制，诊断和修复软件错误。 低空录音机记录了软件的执行，以防发生故障或利用，从而使开发人员可以重播记录的日志以重现问题。 Mutable Replay允许在关键补丁的典型代码更改后，将记录使用的日志记录，以证明修补程序正常工作以解决检测到的问题。 该项目利用语义信息很容易向开发人员使用，以进行充分理解的静态和动态分析，以正确地转换记录的日志以实现可变的重播。 这项研究的结果将通过简化和加速贴片的发电和验证来使社会和个人受益，最终使软件更加可靠和安全。

项目成果

DIRECT : A Transformer-based Model for Decompiled Identifier Renaming

DIRECT：基于 Transformer 的反编译标识符重命名模型

• 发表时间: 2021
• 期刊: 1st Workshop on Natural Language Processing for Programming (NLP4Prog
• 作者: Nitin, Vikram;Saieva, Anthony;Ray, Baishakhi;Kaiser, Gail
• 通讯作者: Kaiser, Gail

Testing DNN Image Classifier for Confusion & Bias Errors

测试 DNN 图像分类器的混淆情况

• 发表时间: 2020
• 期刊: 42nd International Conference on Software Engineering
• 作者: Tian, Yuchi;Zhong, Ziyuan;Ordonez, Vicente;Kaiser, Gail;Ray, Baishakhi
• 通讯作者: Ray, Baishakhi

Obfuscation resilient search through executable classification

通过可执行分类进行混淆弹性搜索

• DOI: 10.1145/3211346.3211352
• 发表时间: 2018
• 期刊: Proceedings of the 2nd ACM SIGPLAN International Workshop on Machine Learning and Programming Languages
• 作者: Su, Fang-Hsiang;Bell, Jonathan;Kaiser, Gail;Ray, Baishakhi
• 通讯作者: Ray, Baishakhi

Side Channel Attack on Smartphone Sensors to Infer Gender of the User

对智能手机传感器进行侧信道攻击以推断用户性别

• 发表时间: 2019
• 期刊: 17th ACM Conference on Embedded Networked Sensor Systems (SenSys
• 作者: Singh, Shirish;Shila, Devu Manikantan;Kaiser, Gail
• 通讯作者: Kaiser, Gail

Detecting Sensor-Based Repackaged Malware

检测基于传感器的重新打包的恶意软件

• DOI: 10.1109/bigdata50022.2020.9378145
• 发表时间: 2020
• 期刊: IEEE International Conference on Big Data (Big Data
• 作者: Liu, Boyu;Yun, Duanyue;Guo, Xin;Ji, Xiao;Song, Huiyu;Singh, Shirish;Kaiser, Gail
• 通讯作者: Kaiser, Gail