SHF: Small: Detecting the 1%: Growing the Science of Vulnerability Detection
North Carolina State University, Raleigh NC
Investigators
Abstract
Daily, news reports reveal the latest increasingly sophisticated security attacks that threaten our national security, our cyber infrastructure, our health, our finances, our children, and democracy itself. Yet, studies indicate that discovered vulnerabilities can be very damaging but are rare, appearing in about 1-4% of software files. Finding vulnerabilities has been described as "searching for a needing in a haystack." But, protecting the American people, the American homeland, and the American way of life means that software organizations need to detect vulnerabilities so that they can be fixed before the product is used by customers, which makes the vulnerabilities available to attackers. This project will perform studies to understand the characteristics and location of the most risky vulnerabilities so that special effort can be spent and automated tools can be developed to detect the vulnerabilities. The work will improve the ability of software organizations to produce secure software products so that people can rely upon computer systems to perform critical functions and to process, store, and communicate sensitive information securely. The research project also involves the mentoring of PhD students and innovation in software-security teaching for undergraduate and graduate students. Making informed decisions on what code to review and test can improve a team's ability to find and remove more vulnerabilities. Therefore, security engineers looking to prioritize security inspection and testing efforts may be better served by vulnerability-based detection techniques and tools and effective vulnerability prediction. The goal of this project is to aid software practitioners in detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development and evaluation of prediction models enhanced with recent research from artificial intelligence. The project will explore characteristics of vulnerabilities with a focus on those that pose the highest security risk. Knowledge about the fundamental characteristics of vulnerabilities can be used in the development of vulnerability-focused tools to aid teams in effectively and efficiently detecting vulnerabilities. The fundamental vulnerability characteristics can also be used to develop novel metrics and methods for building vulnerability prediction models enhanced with recent research from artificial intelligence. The project team will also provide a testbed and test data to help other security researchers. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →