Project Details
Description
Research Overview. With the development of whitebox and blackbox fuzzing techniques, it is increasingly easier for a security analyst to find software vulnerabilities. However, it is not clear how to convert the vulnerabilities into a full exploitation. This is not because the identified vulnerabilities are unexploitable, but due to the fact that the exploitation requires tackling three main challenges ~ (1) identifying useful primitives for exploitation (2) finding an effective way tobypass widely-deployed mitigation and protection and (3) preventing unexpected termination in exploitation.In this research project, I aim to explore, design and develop a series of technical approaches to ease the development of working exploits and escalate the exploitability for vulnerabilities. To be more specific, I intent to conduct this research from three aspects. First, I will develop automated techniques to explore the primitives needed for exploitation. Using the primitives identified, Iwill then design and develop technical solutions to facilitate the ability of a security analyst to bypass security mitigation and thus explore the possibility of performing exploitation. Last but not least, I will explore practical approaches to preventing unexpected termination in vulnerability exploitation.Intellectual Merit. This project will make key innovations in software vulnerability analysis and exploitability assessment to close the gaps for prioritizing bug and vulnerability remediation. If successful, the research outcome will provide a series of novel technical solutions that will help security analysts to ~ track down primitives needed for exploitation, ~ evaluate the capability ofa vulnerability in circumventing widely deployed security mitigation and ~ prevent unexpected termination in exploitation assessment. Not only will this work enrich the arsenal of computer security, but also contribute to the field of software engineering that focuses on automated vulnerability analysis and exploit development. The proposed research will apply empirical methods fromcomputer systems and software engineering to tackle conventional but unsolved security problems.Broader Impact. This research project has the potential to significantly reduce the cycle of exploitability assessment for vulnerabilities and thus shorten the time that a software system remains vulnerable. The proposed research will make key progress towards securing the current cyberspace and enhancing the national security. The technical solutions will not only help to build a more effective and efficient bug triaging system for industrial practitioners, but also augment their ability to perform more comprehensive and thorough penetration test in their regular cyber operations.The PI will actively share the research results with existing industrial partners and collaborate on prototype testing. In addition, the PI will use this project as a platform to recruit and mentor underrepresented students and introduce undergraduate students to security research.Keyword: Exploitability assessment, symbolic execution, security mitigation, memory corruption vulnerability
Status | Active |
---|---|
Effective start/end date | 1/1/20 → … |
Funding
- U.S. Navy: $449,958.00