| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | March 9, 2018 |
| Latest Amendment Date: | February 17, 2022 |
| Award Number: | 1749711 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Sol Greenspan
CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | March 15, 2018 |
| End Date: | February 29, 2024 (Estimated) |
| Total Intended Award Amount: | $500,000.00 |
| Total Awarded Amount to Date: | $500,000.00 |
| Funds Obligated to Date: |
FY 2019 = $96,693.00 FY 2020 = $99,885.00 FY 2021 = $103,191.00 FY 2022 = $106,616.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
926 DALNEY ST NW ATLANTA GA US 30318-6395 (404)894-4819 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
225 North Avenue Atlanta GA US 30332-0002 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001920DB NSF RESEARCH & RELATED ACTIVIT 01002021DB NSF RESEARCH & RELATED ACTIVIT 01002122DB NSF RESEARCH & RELATED ACTIVIT 01002223DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Fuzzing is an automatic software-testing technique that repeatedly injects a randomly mutated input to a target program. Proven to be effective in finding bugs in complex, real-world programs, fuzzing has become a core technique for finding security vulnerabilities. There are now examples of major companies building large-scale, distributed fuzzing infrastructure, which runs on hundreds of virtual machines that relentlessly process over millions of test cases per day. The performance of fuzzers is critical, as a faster, smarter fuzzer will find more security bugs in the target program more quickly.
This project takes a novel approach to fuzzing performance by shortening the execution time of each fuzzing iteration by trying to achieve more test coverage in a fixed time interval, whereas other approaches focus on convergence to input sets that are more likely to trigger a vulnerability. In the process, the project will overcome hidden scalability and performance bottlenecks caused at the system software layers, such as operating system and hypervisor. Such technical advances can bring significant saving of the operation cost of fuzzing infrastructure and help developers to identify more security bugs in open source and commercial software in a cost-effective manner.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The primary goal of this NSF-funded project was to enhance the performance of fuzzing techniques, aiming to reduce the time required to uncover security vulnerabilities and software bugs. The project specifically addressed system-side bottlenecks, such as in-kernel locks, by leveraging systems approaches like heterogeneous architectures, and creating new system abstractions to accelerate the fuzzing processes like new OS abstraction or a unified fuzzing layer to ensemble multiple fuzzers. This performance boost is intended to lower the cost and foster the widespread adoption of fuzzing techniques across various industries.
Accomplishments and Major Activities:
Over the course of the project, significant progress was made, contributing to 25 publications in top-tier security and systems conferences and resulting in 20 open-source projects. These efforts led to the discovery and reporting of over 80 high-impact vulnerabilities. Notable advancements include the development of "autofz," an automated fuzzer composition tool that optimizes fuzzer configurations using genetic algorithms. This tool significantly improves the efficiency and effectiveness of fuzzing by dynamically adjusting parameters to maximize coverage and bug detection rates.
Impact and Dissemination:
The project's outcomes have had a profound impact on the field of software security, particularly in the development and adoption of fuzzing methods. The research has been widely disseminated through publications, open-source projects, and educational resources. Tools like RoboFuzz and autofz have been made publicly available, contributing to the broader research community's efforts in security testing and vulnerability discovery. Additionally, the project has provided extensive training opportunities through the OMS Cyber Masters and MS Information Security programs, equipping students with hands-on experience in fuzzing techniques.
Last Modified: 08/11/2024
Modified by: Taesoo Kim
Please report errors in award information by writing to: awardsearch@nsf.gov.
