CICI:SIVD:Context-Aware Vulnerability Detection in Configurable Scientific Computing Environments

CICI：SIVD：可配置科学计算环境中的上下文感知漏洞检测

• 批准号: 2115167
• 负责人: Mu Zhang
• 金额: $ 49.98万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-01 至 2025-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2115167&HistoricalAwards=false
• 关键词: CICI; SIVD; Context; Aware; Vulnerability; CICI; SIVD; Context; Aware; Vulnerability

Computational infrastructures have increasingly become the enabling factor for scientific discovery, in critical application domains including seismic imaging, air quality monitoring, epidemiology, drug discovery and nuclear engineering. The security of these infrastructures is thus of crucial importance, as the vulnerabilities in their unique software stacks can cause significant damage to economy, environment, public health, and national security. This project aims to safeguard scientific computing infrastructures via automatically identifying hidden software vulnerabilities in a timely manner. Particularly, the goal of this project is to address the challenging problem of configuration-related security bugs in highly customizable high-performance computing environments. Detecting such vulnerabilities is a hard problem. The stateof- the-art general vulnerability analyzers are unable to capture the specific runtime contexts of multiple interdependent software elements in specialized scientific computing environments. To bridge this gap, this project connects advanced bug-finding techniques to dedicated high-performance computing settings. In addition, it also seeks to leverage the unique characteristics of scientific computing environments to facilitate vulnerability discovery. Hence, this research provides a comprehensive understanding of the software security problems in real-world scientific computing systems, and builds robust solutions to secure these systems.Specifically, this project develops novel deployment-specific vulnerability detection techniques, that can (a) discover seemingly well-formed, yet inconsistent configuration values within scientific computing contexts, (b) detect cross-component vulnerabilities caused by the settings of interconnected computing software, and (c) take full advantage of the de facto workflow of high-performance computing systems to reduce the complexity of finding bugs. This research consists of three tasks: (1) it investigates the deployment contexts in real-world high-performance computing systems and develops both offline and online tools to automatically collect contextual information; (2) it applies extracted contexts to detecting misconfiguration and configuration-triggered code vulnerabilities at both deployment time and incrementally at runtime; (3) it tests the novel technique in real-world testbeds and scientific computing environments to evaluate its accuracy, efficiency and effectiveness.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在关键的应用领域，包括地震成像，空气质量监测，流行病学，药物发现和核工程在内的关键应用领域中，计算基础设施越来越成为科学发现的推动因素。因此，这些基础设施的安全至关重要，因为其独特的软件堆栈中的脆弱性会对经济，环境，公共卫生和国家安全造成重大损害。该项目旨在通过及时识别隐藏的软件漏洞来保护科学计算基础架构。特别是，该项目的目的是解决高度可自定义的高性能计算环境中与配置相关的安全错误的挑战性问题。检测这种漏洞是一个棘手的问题。在专用科学计算环境中，总体脆弱性分析仪无法捕获多个相互依存的软件元素的特定运行时环境。为了弥合此差距，该项目将高级错误调查技术连接到专用的高性能计算设置。此外，它还试图利用科学计算环境的独特特征来促进脆弱性发现。因此，这项研究提供了对现实世界科学计算系统中软件安全问题的全面理解，并构建了可靠的解决方案以保护这些系统。特别是，该项目开发了新颖的特定部署特定脆弱性检测技术，可以（a）（a）发现既构成良好又构成了不一致的计算范围的计算上下文（B）（B）在（b）中造成的不一致的配置值（B）（B）（b）b）软件和（c）充分利用了高性能计算系统的事实上的工作流程，以减少查找错误的复杂性。这项研究包括三个任务：（1）它研究了现实世界中高性能计算系统中的部署环境，并开发了离线和在线工具，以自动收集上下文信息； （2）它应用了提取的上下文来检测部署时间和在运行时逐步增长的配置和配置触发的代码漏洞； （3）它在现实世界测试台和科学计算环境中测试了新技术，以评估其准确性，效率和有效性。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的智力优点评估来支持的，并具有更广泛的影响。