| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | August 13, 2012 |
| Latest Amendment Date: | August 13, 2012 |
| Award Number: | 1223828 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | September 1, 2012 |
| End Date: | January 31, 2017 (Estimated) |
| Total Intended Award Amount: | $479,446.00 |
| Total Awarded Amount to Date: | $479,446.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1350 BEARDSHEAR HALL AMES IA US 50011-2103 (515)294-5225 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
Coover Hall Ames IA US 50011-2207 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Software is a critical element in a wide range of real-world applications. Attacks against computer software can cause substantial damage to the cyber-infrastructure of our modern society and economy. In fact, many new software security vulnerabilities are discovered on a daily basis. Therefore, it is vital to identify and resolve those security issues as early as possible. This research aims to investigate a scientific foundation and a novel methodology for automated detection, prevention, and resolution of prior-known software security vulnerabilities in software systems. The results will help to detect and prevent prior-known security vulnerabilities from recurring in other software systems.
In this research, the key philosophy is that the software systems having the same/similar software security vulnerabilities share the protocols, algorithms, procedures, libraries, frameworks, modules, or source code with the same flaws, and they suffer the same/similar exploitation mechanisms. Based on that, empirical studies are conducted to investigate the nature and the characteristics of recurring software vulnerabilities in different software systems, and to validate that hypothesis. Based on the knowledge gained from the studies, new vulnerability models, representations, and similarity measurements are developed to capture recurring software security vulnerabilities, and the corresponding vulnerable code and exploitation mechanisms. Novel algorithms and techniques are designed to (semi-)automatically build graph-based vulnerability models from vulnerability reports and from vulnerable code and patches, aiming to construct a database of prior-known vulnerabilities. A new methodology is developed to help to identify the prior-known vulnerabilities in other systems and to suggest the resolution. Specifically, the automated methods and advances include 1) an algorithm to compare and match against vulnerability models in the database, 2) a technique to map software concepts between security reports and from a report to the corresponding source code fragments, modules, or components; 3) an algorithm to determine the modules and source file locations in the new system that correspond to the vulnerable modules and locations in a system with a prior-known vulnerability; and 4) a technique to suggest the patch to the new system from the prior fixes. In brief, the results of this research help to resolve early software security vulnerabilities. They will lead to more reliable software because the process of detecting and patching for recurring security vulnerabilities will be more efficient and effective.
Please report errors in award information by writing to: awardsearch@nsf.gov.
