CRII: SaTC: Towards Detecting and Mitigating Vulnerabilities

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2). Numerous real-world attacks exploit software vulnerabilities to compromise computer systems such as servers, desktops, smart phones, and Internet of Things (IoT) devices. Recent studies show that it is challenging to detect vulnerabilities accurately and patch vulnerabilities rapidly. State-of-the-art techniques can mitigate unpatched vulnerabilities effectively, but they usually sacrifice the availability of systems. The goal of this project is to improve vulnerability detection and mitigation. The project’s novelties are two-fold. First, the project team is developing an approach to significantly increasing the accuracy of vulnerability detection. Second, the project team is developing an approach to substantially reducing the availability loss of vulnerability mitigation. The project's broader significance and importance are that 1) the approaches developed by the project can be used by other projects addressing vulnerabilities, 2) the outcome of the project can help the software industry in designing mechanisms to detect vulnerabilities and defend against vulnerability exploits; and 3) the project is tightly integrated with undergraduate-level and graduate-level curriculum development and student advising. A diverse group of undergraduate and graduate students are participating in the project and developing their interests and expertise in software security. The project aims to develop an accurate vulnerability-detection technique and an unobtrusive vulnerability-mitigation technique. To improve the accuracy, the vulnerability-detection technique uses vulnerability conditions, each of which captures the intrinsic characteristics of a type of vulnerabilities, to detect vulnerabilities. To reduce the availability loss, the vulnerability-mitigation technique uses basic blocks and program paths as the granularity of vulnerability mitigation. The project consists of three key tasks: 1) designing a scheme for encoding vulnerability conditions, 2) developing a technique based on fuzzing to detect vulnerabilities using vulnerability conditions, and 3) developing a technique based on code-disabling to mitigates vulnerabilities at the granularity of basic blocks and program paths. The major contributions of the project include the design of the techniques, prototype implementations of the techniques, and an evaluation of the implementations with real-world vulnerabilities. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.