Code injection vulnerabilities are a class of security vulnerabilities that have been exploited increasingly often, including in the high-profile 2017 Equifax breach as well as in many recent attacks on our country's election and financial systems. These vulnerabilities are very tricky to detect, and there are no existing automated techniques to protect critical software from being released with these dangerous flaws. This project is developing new and transformative approaches for detecting code injection vulnerabilities in complex, large-scale systems. The line between high-assurance and general-purpose software is increasingly blurred, as nowadays nearly any insecure software can have severe economic consequences. Hence, this project is developing, validating and disseminating better tools that any engineer can use to detect code injection vulnerabilities in their applications during testing (without requiring specialized security knowledge).
To detect these vulnerabilities, this project harnesses the combined power of both human developers and automated dynamic program analysis, combining existing test suites with dynamic dataflow analysis. Given an existing (and perhaps low quality) developer-written test suite, this project simultaneously increases the depth of each test (adding new security-related checks to each test) and the breadth of each test (ensuring that the test suite thoroughly validates each security check). When one of these tests suggests that there might be a vulnerability, the tool will generate a proof-of-exploit test case that demonstrates the existence of the exploit and allows developers to understand and debug the issue, preventing it from escaping to the wild. The tools will be carefully designed to be adoptable by everyday software engineers without requiring specialized knowledge of program analysis, with easy integration with existing tooling and continuous integration infrastructure. This project involves undergraduate and graduate students in research. All software and curricula resulting from this project will be freely and publicly available; the resulting tools will be publicly disseminated and are expected to be useful for other testing and security researchers.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
