CAREER: Amplifying Developer-Written Tests for Code Injection Vulnerability Detection

职业：扩大开发人员编写的代码注入漏洞检测测试

• 批准号: 1844880
• 负责人: Jonathan Bell
• 金额: $ 50万
• 依托单位: George Mason University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-05-01 至 2020-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1844880&HistoricalAwards=false
• 关键词: CAREER; Amplifying; Developer; Written; Tests

Code injection vulnerabilities are a class of security vulnerabilities that have been exploited increasingly often, including in the high-profile 2017 Equifax breach as well as in many recent attacks on our country's election and financial systems. These vulnerabilities are very tricky to detect, and there are no existing automated techniques to protect critical software from being released with these dangerous flaws. This project is developing new and transformative approaches for detecting code injection vulnerabilities in complex, large-scale systems. The line between high-assurance and general-purpose software is increasingly blurred, as nowadays nearly any insecure software can have severe economic consequences. Hence, this project is developing, validating and disseminating better tools that any engineer can use to detect code injection vulnerabilities in their applications during testing (without requiring specialized security knowledge).To detect these vulnerabilities, this project harnesses the combined power of both human developers and automated dynamic program analysis, combining existing test suites with dynamic dataflow analysis. Given an existing (and perhaps low quality) developer-written test suite, this project simultaneously increases the depth of each test (adding new security-related checks to each test) and the breadth of each test (ensuring that the test suite thoroughly validates each security check). When one of these tests suggests that there might be a vulnerability, the tool will generate a proof-of-exploit test case that demonstrates the existence of the exploit and allows developers to understand and debug the issue, preventing it from escaping to the wild. The tools will be carefully designed to be adoptable by everyday software engineers without requiring specialized knowledge of program analysis, with easy integration with existing tooling and continuous integration infrastructure. This project involves undergraduate and graduate students in research. All software and curricula resulting from this project will be freely and publicly available; the resulting tools will be publicly disseminated and are expected to be useful for other testing and security researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

代码注射漏洞是一类安全漏洞，越来越多地被利用，包括在2017年备受瞩目的Equifax违规行为以及最近对我们国家选举和金融系统的许多攻击中。这些漏洞很难检测到，并且没有现有的自动化技术来保护关键软件免受这些危险缺陷的释放。该项目正在开发新的和变革性的方法，用于检测复杂的大规模系统中的代码注入漏洞。高保证和通用软件之间的界限越来越模糊，因为如今几乎所有不安全的软件都会带来严重的经济后果。因此，该项目正在开发，验证和传播更好的工具，任何工程师都可以在测试过程中使用这些工程来检测其应用中的代码注入漏洞（不需要专门的安全知识）。要检测这些漏洞，该项目可以利用人类开发人员和自动化的动态程序分析，现有的测试套件与动态数据流量分析相结合。鉴于现有的（也许是低质量）开发人员编写的测试套件，该项目同时增加了每个测试的深度（在每个测试中添加新的安全相关检查）和每个测试的广度（确保测试套件可彻底验证每个安全检查）。当其中一项测试表明可能存在脆弱性时，该工具将生成一个探索验证测试案例，该测试案例证明了利用的存在，并允许开发人员理解和调试问题，以防止其逃脱到野外。这些工具将经过精心设计，可被日常软件工程师采用，而无需对程序分析的专业知识，并容易与现有工具和持续集成基础架构进行集成。该项目涉及研究生和研究生研究。该项目产生的所有软件和课程都将自由公开可用；最终的工具将被公开传播，并有望对其他测试和安全研究人员有用。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子优点和更广泛影响的评估标准通过评估来支持的。

项目成果

Revealing Injection Vulnerabilities by Leveraging Existing Tests

• DOI: 10.1145/3377811.3380326
• 发表时间: 2020-06
• 期刊: 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE)
• 作者: Katherine Hough;G. B. Welearegai;Christian Hammer;Jonathan Bell