Collaborative Research: SaTC: CORE: Medium: Rethinking Fuzzing for Security

协作研究：SaTC：核心：中：重新思考安全性模糊测试

• 批准号: 2031377
• 负责人: Jun Xu
• 金额: $ 59.6万
• 依托单位: Stevens Institute of Technology
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2022-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2031377&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium; Collaborative; Research; SaTC; CORE; Medium

In software, a vulnerability is a flaw in the code that can be exploited by a malicious actor to perform unauthorized activities or change the behavior of the software. Although a topic heavily studied by security researchers, finding software vulnerabilities is becoming increasingly challenging because the software widely used in day-to-day life is growing larger and more complicated. This project addresses this challenge by rethinking a classic technique called fuzzing for finding vulnerabilities from large software. The high-level idea of fuzzing is to create a large number of random inputs to run software and in turn trigger vulnerabilities. The novelties of this project are the new approaches, techniques, and tools that revolutionize fuzzing and make the nearly random testing process more intelligent and targeted. This way, this project will enhance security of various types of widely used software, ranging from web browsers to server-side programs.To that end, this project is investigating vulnerability-coverage-driven fuzzing. Existing fuzzing techniques primarily followed an approach called code-coverage-driven fuzzing, motivated by the belief that code coverage and vulnerability finding are strongly correlated. Challenging this widely held belief, this project shows that code coverage has weaker-than-expected ties with vulnerabilities and code-coverage-driven fuzzing is not well suited for vulnerability finding. Pioneering vulnerability-coverage-driven fuzzing, this project invents a series of novel techniques to (1) obtain feedback on vulnerability coverage (2) prioritize test inputs that can reach more vulnerabilities and (3) maximize the chance to trigger vulnerabilities reached by the test inputs. This project also produces new metrics, new benchmarks, and new frameworks for comprehensively evaluating the use of fuzzing for vulnerability finding. With the investigators' experience in research of software security and system security, this project provides a group of education, training, and research opportunities for both undergraduate and graduate students. Through industry outreach, the investigators pursue technology transfers and raise the awareness of software security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在软件中，漏洞是代码中的一个缺陷，恶意演员可以利用该漏洞来执行未经授权的活动或更改软件的行为。尽管安全研究人员大量研究的主题，但发现软件漏洞的越来越具有挑战性，因为在日常生活中广泛使用的软件越来越大，并且越来越复杂。该项目通过重新思考一种称为模糊的经典技术来解决这一挑战，以从大型软件中找到漏洞。模糊的高级想法是创建大量的随机输入来运行软件并触发漏洞。该项目的新颖性是彻底改变模糊并使几乎随机的测试过程更加聪明和有针对性的新方法，技术和工具。这样，该项目将增强各种广泛使用的软件的安全性，从Web浏览器到服务器端程序。现有的模糊技术主要遵循一种称为代码覆盖驱动的模糊的方法，其动机是因为人们认为代码覆盖率和脆弱性发现密切相关。该项目挑战了这种普遍认为的信念，表明代码覆盖范围与脆弱性和代码覆盖驱动的模糊相比较弱，不太适合发现脆弱性发现。该项目开创了以漏洞覆盖的驱动的损害，该项目发明了一系列新型技术，以（1）获得有关漏洞覆盖率的反馈（2）优先级测试输入，这些输入可以达到更多漏洞，并且（3）最大限度地触发了通过测试输入触发漏洞的机会。该项目还生产了新的指标，新的基准和新框架，以全面评估模糊的脆弱性发现。凭借研究人员在软件安全和系统安全研究方面的经验，该项目为本科生和研究生提供了一系列教育，培训和研究机会。通过行业宣传，调查人员进行技术转移并提高了软件安全的认识。该奖项反映了NSF的法定任务，并使用基金会的知识分子优点和更广泛的影响审查标准，被认为值得通过评估来获得支持。