| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | April 23, 2019 |
| Latest Amendment Date: | April 23, 2019 |
| Award Number: | 1844880 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | May 1, 2019 |
| End Date: | December 31, 2020 (Estimated) |
| Total Intended Award Amount: | $500,000.00 |
| Total Awarded Amount to Date: | $196,587.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
4400 UNIVERSITY DR FAIRFAX VA US 22030-4422 (703)993-2295 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
4400 University Drive Fairfax VA US 22030-4422 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01002122DB NSF RESEARCH & RELATED ACTIVIT 01002223DB NSF RESEARCH & RELATED ACTIVIT 01002324DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Code injection vulnerabilities are a class of security vulnerabilities that have been exploited increasingly often, including in the high-profile 2017 Equifax breach as well as in many recent attacks on our country's election and financial systems. These vulnerabilities are very tricky to detect, and there are no existing automated techniques to protect critical software from being released with these dangerous flaws. This project is developing new and transformative approaches for detecting code injection vulnerabilities in complex, large-scale systems. The line between high-assurance and general-purpose software is increasingly blurred, as nowadays nearly any insecure software can have severe economic consequences. Hence, this project is developing, validating and disseminating better tools that any engineer can use to detect code injection vulnerabilities in their applications during testing (without requiring specialized security knowledge).
To detect these vulnerabilities, this project harnesses the combined power of both human developers and automated dynamic program analysis, combining existing test suites with dynamic dataflow analysis. Given an existing (and perhaps low quality) developer-written test suite, this project simultaneously increases the depth of each test (adding new security-related checks to each test) and the breadth of each test (ensuring that the test suite thoroughly validates each security check). When one of these tests suggests that there might be a vulnerability, the tool will generate a proof-of-exploit test case that demonstrates the existence of the exploit and allows developers to understand and debug the issue, preventing it from escaping to the wild. The tools will be carefully designed to be adoptable by everyday software engineers without requiring specialized knowledge of program analysis, with easy integration with existing tooling and continuous integration infrastructure. This project involves undergraduate and graduate students in research. All software and curricula resulting from this project will be freely and publicly available; the resulting tools will be publicly disseminated and are expected to be useful for other testing and security researchers.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
Please report errors in award information by writing to: awardsearch@nsf.gov.
