Collaborative Research: SaTC: CORE: Medium: Audacity of Exploration: Toward Automated Discovery of Security Flaws in Networked Systems through Intelligent Documentation Analysis

协作研究：SaTC：核心：中：大胆探索：通过智能文档分析自动发现网络系统中的安全缺陷

• 批准号: 2409269
• 负责人: Feng Qian
• 金额: $ 30万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-10-01 至 2026-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2409269&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

Specifications, developer guides and other documentations of networked systems (e.g., Internet applications, carrier networks) describe how these systems are designed, used and operate. These documentations are important sources for understanding security weaknesses in these systems and have not been fully leveraged due to the difficulty in analyzing their imprecise, convoluted and ambiguous content. Project Audacity (AUtomated Documentation Analysis for seCurITY) aims at addressing the challenge for security weakness discovery and remedy. Its novelties are the development of innovative technologies to enable automated document analysis for security protection. The project’s broader significance and importance include transferring the technologies to industry, involving members from under-represented groups in the project and disseminating outcomes through K9-12 outreach and community services. The project focuses on mitigating security risks of both design flaws and implementation vulnerabilities in networked systems, through automatically recovering security-related information (e.g., models, security properties) and confusing descriptions (e.g., inconsistent statements) from documentations to evaluate their security implications (e.g., verification of system designs, validation of predicted weaknesses on system implementations). This purpose is served by novel techniques based upon machine learning and natural language processing for analyzing different types of documentations, such as those for payment, single-sign-on, and for the 3rd Generation Partnership Project or 3GPP. Examples of such techniques include sentiment analysis for finding the statements related to security requirements and a similarity and differential analysis that compares different statements about similar security-critical operations to capture inconsistency. Furthermore, the project studies emerging techniques such as service syndication through comparing the documentations of different services and the 3GPP ecosystem from analyzing its public text data for risk measurement, identification and mitigation. This work complements program analysis to help enhance the security quality of networked systems, contributing to a better procedure and ecosystem that make security-critical documentations more precise, more consistent and less error-prone.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络系统（例如互联网应用程序、运营商网络）的规范、开发人员指南和其他文档描述了这些系统的设计、使用和操作方式。这些文档是了解这些系统中的安全弱点的重要来源，但由于以下原因尚未得到充分利用。分析其不精确、复杂和模糊的内容的困难。 Audacity 项目（安全自动化文档分析）旨在解决安全漏洞发现和补救的挑战，其新颖之处在于开发创新技术来实现。该项目更广泛的意义和重要性包括将技术转移到行业，让代表性不足的群体的成员参与该项目，并通过 K9-12 外展和社区服务传播成果。通过自动从文档中恢复与安全相关的信息（例如模型、安全属性）和令人困惑的描述（例如不一致的陈述）来评估网络系统中的设计缺陷和实现漏洞，以评估其安全影响（例如，验证系统设计、验证系统实现的预测弱点）通过基于机器学习和自然语言处理的新技术来实现这一目的，用于分析不同类型的文档，例如支付、单点登录的文档。对于第三代合作伙伴项目或 3GPP，此类技术的示例包括用于查找与安全要求相关的语句的情绪分析以及比较有关类似安全关键操作的不同语句以捕获项目的不一致之处的相似性和差异分析。研究新兴技术，例如作为服务联合组织，通过比较不同服务和 3GPP 生态系统的文档，分析其公共文本数据来进行风险测量、识别和缓解。这项工作补充了程序分析，有助于提高网络系统的安全质量，为更好的程序和生态系统做出贡献。使安全关键文档更加精确、更加一致且不易出错。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。