Collaborative Research: SaTC: CORE: Small: Improving Decentralized Kernel Patch Ecosystems
University Of Minnesota-Twin Cities, Minneapolis MN
Investigators
Abstract
The objective of this project is to improve the security of open-source operating system (OS) kernels from the supply chain's perspective. As it is extremely costly to develop a brand new OS, a large number of downstream OS kernels are derived from an upstream OS kernel (e.g., Linux) to save development costs. However, this also means that the security of the downstream kernels are dependent on timely patch propagation from the upstream to downstream. The diversity and decentralized nature of downstreams causes delays or even missed upstream patches altogether. Even worse, due to customizations in the downstreams, it is time-consuming to infer which bugs are applicable to downstream and worth patching. Finally, even if they know an upstream vulnerability exists in a downstream and a patch is available, it may require additional efforts to port and test upstream patches --- a significant hurdle for many downstream vendors who are wary of breaking things. This project aims to develop a series of automated and novel analyses to reason about patches, bug behaviors, and their impacts. More specifically, the project will include an analysis of upstream patches and infer which ones fix critical bugs; it will automatically infer which downstreams are affected by an upstream bug and what security impact it bears; it will understand whether the corresponding upstream patch can be applied safely and correctly. The results of the project will alleviate the human burden in analyzing, reviewing, and adopting patches. Ultimately, they will improve the security of the entire open-source OS ecosystem. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →