CRII: SaTC: Towards Detecting and Mitigating Vulnerabilities

CRII：SaTC：致力于检测和缓解漏洞

• 批准号: 2153474
• 负责人: Zhen Huang
• 金额: $ 17.49万
• 依托单位: DePaul University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-07-01 至 2024-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153474&HistoricalAwards=false
• 关键词: CRII; SaTC; Towards; Detecting; Mitigating

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2).Numerous real-world attacks exploit software vulnerabilities to compromise computer systems such as servers, desktops, smart phones, and Internet of Things (IoT) devices. Recent studies show that it is challenging to detect vulnerabilities accurately and patch vulnerabilities rapidly. State-of-the-art techniques can mitigate unpatched vulnerabilities effectively, but they usually sacrifice the availability of systems. The goal of this project is to improve vulnerability detection and mitigation. The project’s novelties are two-fold. First, the project team is developing an approach to significantly increasing the accuracy of vulnerability detection. Second, the project team is developing an approach to substantially reducing the availability loss of vulnerability mitigation. The project's broader significance and importance are that 1) the approaches developed by the project can be used by other projects addressing vulnerabilities, 2) the outcome of the project can help the software industry in designing mechanisms to detect vulnerabilities and defend against vulnerability exploits; and 3) the project is tightly integrated with undergraduate-level and graduate-level curriculum development and student advising. A diverse group of undergraduate and graduate students are participating in the project and developing their interests and expertise in software security.The project aims to develop an accurate vulnerability-detection technique and an unobtrusive vulnerability-mitigation technique. To improve the accuracy, the vulnerability-detection technique uses vulnerability conditions, each of which captures the intrinsic characteristics of a type of vulnerabilities, to detect vulnerabilities. To reduce the availability loss, the vulnerability-mitigation technique uses basic blocks and program paths as the granularity of vulnerability mitigation. The project consists of three key tasks: 1) designing a scheme for encoding vulnerability conditions, 2) developing a technique based on fuzzing to detect vulnerabilities using vulnerability conditions, and 3) developing a technique based on code-disabling to mitigates vulnerabilities at the granularity of basic blocks and program paths. The major contributions of the project include the design of the techniques, prototype implementations of the techniques, and an evaluation of the implementations with real-world vulnerabilities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该奖项的全部或部分资金来源于《2021 年美国救援计划法案》（公法 117-2）。现实世界中的许多攻击利用软件漏洞来危害服务器、台式机、智能手机和物联网等计算机系统最近的研究表明，准确检测漏洞并快速修补漏洞具有挑战性，最先进的技术可以有效地缓解未修补的漏洞，但它们通常会牺牲可用性。该项目的目标是改进漏洞检测和缓解。该项目的新颖性有两个方面：第一，项目团队正在开发一种显着提高漏洞检测准确性的方法。该项目更广泛的意义和重要性在于：1）该项目开发的方法可以被其他解决漏洞的项目使用，2）该项目的结果可以帮助软件行业进行设计。检测漏洞的机制和防御漏洞利用；3) 该项目与本科生和研究生课程开发以及学生咨询紧密结合，不同的本科生和研究生群体正在参与该项目并培养他们在软件安全方面的兴趣和专业知识。该项目旨在开发一种准确的漏洞检测技术和一种不显眼的漏洞缓解技术。为了提高准确性，漏洞检测技术使用漏洞条件来检测，每个漏洞条件都捕获一类漏洞的内在特征。为了减少可用性损失，漏洞缓解技术使用基本块和程序路径作为漏洞缓解的粒度，该项目包括三个关键任务：1）设计漏洞条件编码方案，2）开发基于漏洞的技术。模糊测试使用漏洞条件来检测漏洞，3）开发一种基于代码禁用的技术，以在基本块和程序路径的粒度上减轻漏洞。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Runtime Recovery for Integer Overflows

整数溢出的运行时恢复

• DOI: 10.1109/icsrs56243.2022.10067783
• 发表时间: 2022-11-23
• 期刊: 2022 6th International Conference on System Reliability and Safety (ICSRS)
• 作者: Zhen Huang

Multiclass Classification of Software Vulnerabilities with Deep Learning

利用深度学习对软件漏洞进行多类分类

• DOI: 10.1145/3587716.3587738
• 发表时间: 2023-02-17
• 期刊: Proceedings of the 2023 15th International Conference on Machine Learning and Computing
• 作者: Crystal Contreras;Hristina Dokic;Zhen Huang;Daniela Stan Raicu;Jacob D. Furst;Roselyne B. Tchoua
• 通讯作者: Roselyne B. Tchoua