SaTC: EDU: Curricula and CTF Exercises for Teaching Smart Fuzzing and Symbolic Execution

SaTC：EDU：用于教授智能模糊测试和符号执行的课程和 CTF 练习

基本信息

批准号：
1821841
负责人：
Wu-chang Feng
金额：
$ 27.94万
依托单位：
Portland State University
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2018
资助国家：
美国
起止时间：
2018-09-15 至 2021-08-31
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=1821841&HistoricalAwards=false
关键词：
SaTC EDU Curricula CTF Exercises

项目摘要

It is estimated that a security flaw occurs in in every 100 lines of code written, which makes it difficult to develop secure, and trustworthy software. Given the lack of a sufficient number of developers, the computing industry is turning to smart fuzzing and symbolic execution tools that automatically discover and patch vulnerabilities in computing systems. While these techniques are becoming widely used in industry, few academic programs include these concepts in their educational programs. The project will develop curricular materials that will teach students these emerging techniques that are revolutionizing how software is being tested and validated. This project will develop open-source curricula, and hands-on, "capture-the-flag" (CTF) exercises that will enable Computer Science programs across the country to teach these techniques to students. In order to help develop abilities in fuzzing the project will develop a polymorphically generated web application that includes source code and several vulnerabilities. Students will use a fuzzer to identify, and fix the vulnerabilities. As a result students will develop the skills required to use fuzzers, and the ability to spot the errors and vulnerabilities in source-code that fuzzers reveal. By building and publishing these educational artifacts, this project will place these tools in the hands of as many students as possible so that industry can efficiently build and secure software. As a result, the next-generation of developers will understand the fundamental ideas behind automated vulnerability detection and correction, and develop the ability to leverage modern software testing tools.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

据估计，每 100 行代码中就会出现一个安全缺陷，这使得开发安全、值得信赖的软件变得困难。由于缺乏足够数量的开发人员，计算行业正在转向智能模糊测试和符号执行工具，这些工具可以自动发现和修补计算系统中的漏洞。虽然这些技术在工业中得到广泛应用，但很少有学术项目将这些概念纳入其教育项目中。该项目将开发课程材料，向学生传授这些新兴技术，这些技术正在彻底改变软件的测试和验证方式。该项目将开发开源课程和实践“夺旗”（CTF）练习，使全国各地的计算机科学项目能够向学生教授这些技术。为了帮助开发模糊测试能力，该项目将开发一个多态生成的 Web 应用程序，其中包括源代码和多个漏洞。学生将使用模糊器来识别并修复漏洞。因此，学生将培养使用模糊器所需的技能，以及发现模糊器揭示的源代码中的错误和漏洞的能力。通过构建和发布这些教育制品，该项目将把这些工具交给尽可能多的学生，以便业界能够有效地构建和保护软件。因此，下一代开发人员将了解自动化漏洞检测和纠正背后的基本思想，并培养利用现代软件测试工具的能力。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准。