Data-driven Vulnerability Repair in Programs with a Cloud Analytics Architecture for Practical Deployment

Abstract

Current cybersecurity research has been largely focused on automatic detection, prevention, as well as proof-ofconceptattack develo""pment. A huge missing link in the cybersecurity ecosystem is the lack of systematic research onsecurity repair, specifically on pos"t-detection vulnerability localization and program repair to prevent future exploits.Current post-detection practices heavily rely" on manual effort. Currently, upon receiving alerts security analysts need to00 03/16/17manually localize the problematic code reg""ion and manually generate patches for code repair. Because of thecomplexities of modern programs and systems, these tasks are chall"enging and time consuming.Our ultimate vision is to implement a secure software ecosystem that enables the automatic attack detecti"on,vulnerability localization, code repair against attacks including stealthy exploits. In this project, we will focus onvulnerabi""lity location and code repair that leverage and build upon existing advanced security detection solutions, i.e.,detection-guided lo"calization and repair. Detection reports the symptom of a security problem; localization identifies itsroot cause; repair provides a permanent fix for the security problem. Detection guidance implies that the localizationand repair will utilize existing detecti"on techniques, such as program anomaly detection and control-flow integrity. Sucha strategy of building upon the existing success i"n security research is both scientific and economical. Such swiftvulnerability localization and repair will be extremely useful for" DoD to secure the cyberspace in DoD, but has not beensystematically reported in the literature.Although it may be possible to use"" general-purpose bug localization techniques to find the root causes of securityvulnerabilities, our proposed detection-guided loca""lization based on control-flow integrity and anomaly detection will bemore specialized. More importantly, our key technical novelty" is a set of data-driven algorithms for categorizingvulnerability and security properties of programs. We will design new feature extraction and machine learning methodsto recognize code patterns (including abstract syntax trees and dependence relations) in know"n vulnerabilities andtheir corresponding repair strategies, and produce intelligent code-repair suggestions for security analysts.""In preparation for near-term deployment, we will also develop a novel cloud data analytics framework that minimizesthe client-side" effort and substantially enhances the transparency and usability of data-driven security tools. Ourevaluation will be focused on L"inux OS with C/C++ server and utility programs. Machines with Intel Processor Traceenabled CPUs support low-overhead tracing, neces"sary for practical deployment.The three PIs have complementary expertise and are uniquely qualified for the proposed research. The" proposedbudget is estimated at $1.2 million for 3 years, starting from July 1, 2017. The proposed work is fundamental research.

Document Details

Document Type

DoD Grant Award

Publication Date

May 05, 2017

Source ID

N000141712498

Entities

Tags