CAREER: Generating High Quality Vulnerability Corpora for Benchmarking and Education
New York University, New York NY
Investigators
Abstract
Software vulnerabilities pose a major threat to the safety and security of computer systems. There is a large body of research on how to automatically find vulnerabilities in programs, but test data for evaluation of this research--large, ground-truth corpora of vulnerabilities--are expensive to create and hence in short supply. The goal of this project is to create techniques for automatically generating benchmark corpora of software vulnerabilities that can be used to rigorously assess vulnerability discovery tools, allowing researchers and end users alike to better understand what techniques are most effective, leading to more effective tools and ultimately safer software. The project also aims to use automatically generated vulnerabilities to cheaply create training exercises for cybersecurity education, broadening access to cybersecurity expertise and helping to build the next generation of security researchers. Although prior work such as LAVA (Large-Scale Automated Vulnerability Addition) has demonstrated that vulnerability corpora can be created automatically, the vulnerabilities it creates are unrealistic (containing many artifacts that made them easier to discover than real vulnerabilities) and not very diverse (consisting only of pointer corruption errors). This project aims to address these issues by developing new techniques that: 1) use large language models trained on code to synthesize vulnerabilities that are realistic and diverse; 2) place vulnerabilities in hard-to-discover paths through directed symbolic execution; 3) allow new vulnerability classes to be added quickly with a customized domain-specific language; and 4) automatically generate exploits for each vulnerability. Together, these techniques will allow highly realistic vulnerability corpora to be generated cheaply and on-demand. Aside from the benefits gained by having a limitless supply of vulnerabilities to use as benchmark corpora, the project will also investigate the use of vulnerability injection to create "capture the flag"-style exercises for education; such challenges are an extremely popular and effective means of teaching a variety of cybersecurity skills, but they require large amounts of time, money, and expertise to create and manage. If the creation of these challenges can be partially or wholly automated, it could bring new educational opportunities within reach of a broader and more diverse population by dramatically lowering costs. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →