GGrantIndex
← Search

CAREER: Context-Sensitive Fuzzing for Networked Systems

$425,140FY2024CSENSF

Syracuse University, Syracuse NY

Investigators

Abstract

Internet-facing security-critical network protocols are susceptible to exploitation by remote adversaries seeking to compromise overall security. These adversaries employ crafted inputs to exploit undisclosed or unpatched security flaws (bugs) in protocol implementations. Despite the common strategy of bug identification and patching, unearthing elusive bugs in protocol implementations remains challenging as it requires navigating stringent input validation to discover bugs that lurk deep in the code. Fuzzing, endorsed by the National Institute of Standards and Technology (NIST), automates security testing by passing abnormal inputs to programs in order to discover bugs. While fuzzing has effectively uncovered bugs in many real-world systems, it still struggles to generate semantically correct inputs essential for testing beyond initial input validation. This project bridges this gap in traditional fuzzing by developing an innovative automated solution that effectively enhances the testing of protocol implementations. The core objective of this project is to develop an automated, context-sensitive fuzzing approach that effectively uncovers bugs in security-critical protocol implementations. This project realizes its objective through activities across three complementary research thrusts. The first thrust designs a domain specific language to encode context-sensitive hierarchical structures of inputs and develops algorithms to efficiently generate semantically correct inputs. The second thrust devises several mutation techniques, essential for fuzzing, that will maintain the context-sensitivity of the input. The third thrust develops mechanisms to faithfully maintain the internal state of a stateful protocol so that each fuzz input can be tested in a suitable state of the protocol. This project has the potential to significantly enhance the robustness of protocol implementations, benefiting society. This project's education component includes organizing capture-the-flag (CTF) competitions, improving cybersecurity courses, and conducting K-12 workshops to raise cybersecurity awareness. Undergraduate and graduate students from historically marginalized communities will be recruited to increase their participation in research and educational activities. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →