GGrantIndex
← Search

CAREER: Fuzzing Large Software: Principles, Methods, and Tools

$220,500FY2024CSENSF

University Of Utah, Salt Lake City UT

Investigators

Abstract

Today's software is reaching unprecedented sizes, resulting in a variety of large software systems, such as web browsers, email clients, and database systems, occupying a central role in society. However, this surge in size brings forth a myriad of vulnerabilities that threaten everyone's digital security. Statistics reveal that software exceeding one million lines of code harbors an average of 0.66 defects per 1,000 lines, with 36% classified as vulnerabilities. This project addresses this critical issue by exploring security testing tailored explicitly for discovering vulnerabilities in large software. It focuses on scaling fuzzing---a predominant testing strategy embraced by software vendors and open-source communities---to maintain high effectiveness and efficiency for large software. The research outcomes advance the scientific study of security testing under new challenges posed by large software's unique properties. The anticipated results also improve the security of various types of large software that play a crucial role in daily lives, such as Chromium, Firefox, Thunderbird, MySQL, LibreOffice, PDFium, TensorFlow, and OpenCV. The outcomes of the research will lead to technology transfer to industry. The research will be integrated into education and training through new curriculum and outreach to Utah's Youth Education program as well as capture the flag (CTF) competitions. Technically, this project introduces three key innovations to enable scalable fuzzing for large software. First, it employs object-oriented decomposition to address the extreme complexity of large software, breaking it down into self-contained code units based on the data objects it manipulates. This approach allows for testing individual code units, overcoming the challenges associated with fuzzing entire software systems and enabling deeper code coverage. Second, the project integrates fuzzing-centric optimizations into compilers and operating systems to enhance testing speed. These optimizations minimize fuzzing-irrelevant operations and dynamically adapt to the progress of fuzzing, unlocking hidden speed potential. Third, the project develops history-informed crash analysis to expedite the fuzzing-to-patching cycle by filtering and triaging crashes encountered during testing. Leveraging historical data produced by fuzzing, this analysis comprehensively understands and processes crashes, offering the fidelity and efficiency necessary for addressing large software systems. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →
CAREER: Fuzzing Large Software: Principles, Methods, and Tools · GrantIndex