CRII: SaTC: Towards Detecting and Mitigating Vulnerabilities

CRII：SaTC：致力于检测和缓解漏洞

• 批准号: 2153474
• 负责人: Zhen Huang
• 金额: $ 17.49万
• 依托单位: DePaul University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-07-01 至 2024-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153474&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Detecting; Mitigating

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2).Numerous real-world attacks exploit software vulnerabilities to compromise computer systems such as servers, desktops, smart phones, and Internet of Things (IoT) devices. Recent studies show that it is challenging to detect vulnerabilities accurately and patch vulnerabilities rapidly. State-of-the-art techniques can mitigate unpatched vulnerabilities effectively, but they usually sacrifice the availability of systems. The goal of this project is to improve vulnerability detection and mitigation. The project’s novelties are two-fold. First, the project team is developing an approach to significantly increasing the accuracy of vulnerability detection. Second, the project team is developing an approach to substantially reducing the availability loss of vulnerability mitigation. The project's broader significance and importance are that 1) the approaches developed by the project can be used by other projects addressing vulnerabilities, 2) the outcome of the project can help the software industry in designing mechanisms to detect vulnerabilities and defend against vulnerability exploits; and 3) the project is tightly integrated with undergraduate-level and graduate-level curriculum development and student advising. A diverse group of undergraduate and graduate students are participating in the project and developing their interests and expertise in software security.The project aims to develop an accurate vulnerability-detection technique and an unobtrusive vulnerability-mitigation technique. To improve the accuracy, the vulnerability-detection technique uses vulnerability conditions, each of which captures the intrinsic characteristics of a type of vulnerabilities, to detect vulnerabilities. To reduce the availability loss, the vulnerability-mitigation technique uses basic blocks and program paths as the granularity of vulnerability mitigation. The project consists of three key tasks: 1) designing a scheme for encoding vulnerability conditions, 2) developing a technique based on fuzzing to detect vulnerabilities using vulnerability conditions, and 3) developing a technique based on code-disabling to mitigates vulnerabilities at the granularity of basic blocks and program paths. The major contributions of the project include the design of the techniques, prototype implementations of the techniques, and an evaluation of the implementations with real-world vulnerabilities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该奖项是根据2021年《美国救援计划法》的全部或部分资助的表明挑战是稳定地检测脆弱性，而RT技术可以降低漏洞的漏洞，但通常会牺牲系统的可用性。项目团队开发了一种大大减少脆弱性的方法。 3）该项目与本科生的水平和研究生水平的咨询发展。漏洞降低技术。一种基于使用脆弱性条件的基于引诱劳动力IE的技术，3）基于Basicks颗粒状的脆弱性，开发一种基于代码范围的技术，以及具有real bilneribalsions realiss awarsions.this reald awarsion.this this this this this this this this this this this this this this this this this this this this this this this this reald awars的脆弱性repletts nsf'sf'Stututory Mission，并使用基金会的知识分子优点和更广泛的影响审查标准，通过出现了值得一提的。

项目成果

Multiclass Classification of Software Vulnerabilities with Deep Learning

• DOI: 10.1145/3587716.3587738
• 发表时间: 2023-02
• 期刊: Proceedings of the 2023 15th International Conference on Machine Learning and Computing
• 作者: Crystal Contreras;Hristina Dokic;Zhen Huang;Daniela Stan Raicu;Jacob D. Furst;Roselyne B. Tchoua

Runtime Recovery for Integer Overflows

• DOI: 10.1109/icsrs56243.2022.10067783
• 发表时间: 2022-11
• 期刊: 2022 6th International Conference on System Reliability and Safety (ICSRS)
• 作者: Zhen Huang