| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | March 17, 2017 |
| Latest Amendment Date: | March 9, 2021 |
| Award Number: | 1652954 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Phillip Regalia
pregalia@nsf.gov (703)292-2981 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | March 15, 2017 |
| End Date: | February 29, 2024 (Estimated) |
| Total Intended Award Amount: | $500,000.00 |
| Total Awarded Amount to Date: | $500,000.00 |
| Funds Obligated to Date: |
FY 2018 = $117,734.00 FY 2019 = $135,694.00 FY 2020 = $90,060.00 FY 2021 = $92,084.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
200 UNIVERSTY OFC BUILDING RIVERSIDE CA US 92521-0001 (951)827-5535 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
CA US 92521-0001 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001819DB NSF RESEARCH & RELATED ACTIVIT 01001920DB NSF RESEARCH & RELATED ACTIVIT 01002021DB NSF RESEARCH & RELATED ACTIVIT 01002122DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
The objective of this project is to improve the security of a wide range of network protocols that the Internet relies on. Unfortunately, the Internet has been evolving at a rapid rate but its initial design did not take security into consideration. In practice, this leads to a never-ending stream of network attacks that are continuously being discovered. The defenders are forced into a reactive position to these new and creative attacks, without having the necessary tools to understand and anticipate them. The proposed project aims to identify and analyze protocol flaws proactively and stay ahead of attackers. In particular, the project will develop a set of innovative and timely techniques, tools, and insights that will empower developers and researchers to analyze network protocols, identify their weaknesses, and correct them early on. The results will benefit all Internet users by providing a more secure network environment overall.
Specifically, the research is motivated by the following observations. First, emerging threats such as side channels have been largely overlooked in network protocols. Second, network attacks are getting more sophisticated, with new threat models such as cooperating local and remote attackers. Third, the network protocols and their interactions with the environment are getting more complex, especially when considering the prevalence of network middleboxes, host-based firewalls, and censorship firewalls, etc. The research will develop a combination of program analysis and network measurement techniques to systematically uncover vulnerabilities in a variety of network protocols. The insights gained from the project will enable better and more secure design and implementation of protocols.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The project has led to a deep and systematic analysis of various fundamental protocols on the Internet, with reverse engineering, blackbox testing, model checking, static analysis, and symbolic execution. Novel techniques and tools are developed to address the challenges of analyzing complex and stateful network protocols. Together with insights on novel threats such as network side channels, previously unknown high-profile vulnerabilities (many with CVEs) were discovered, including firewall evasion, off-path TCP hijacking, and DNS cache poisoning attacks. Accordingly, we have also developed patches and countermeasures to defend against such threats.
Throughout the project, a number of research papers have been published in major security conferences (e.g., NDSS, ACM CCS, IEEE Security and Privacy, USENIX Security). One of the papers won a Distinguished Paper Award in ACM CCS 2020, which revived the powerful DNS cache poisoning attack via side channels identified in UDP of the Linux kernel. Because of the impact of the discovered vulnerabilities, several results are widely covered by prominent online news media.
Beyond the network protocols, the same tools and techniques have also been applied to the operating system kernels which are stateful (similar to network protocols). These lead to new ways to reason about the behaviors of large-scale and stateful programs. Together, they have uncovered novel vulnerabilities that are otherwise hidden.
Overall, the results of this research project have made significant contributions to improving the security of the network infrastructure, including the Internet protocols and the underlying systems. In addition, through open-source efforts, the tools and techniques developed under the project will be used and refined by researchers to continue improving the state-of-the-art.
Last Modified: 03/09/2024
Modified by: Zhiyun Qian
Please report errors in award information by writing to: awardsearch@nsf.gov.
