CICI:SIVD:Context-Aware Vulnerability Detection in Configurable Scientific Computing Environments

Computational infrastructures have increasingly become the enabling factor for scientific discovery, in critical application domains including seismic imaging, air quality monitoring, epidemiology, drug discovery and nuclear engineering. The security of these infrastructures is thus of crucial importance, as the vulnerabilities in their unique software stacks can cause significant damage to economy, environment, public health, and national security.

This project aims to safeguard scientific computing infrastructures via automatically identifying hidden software vulnerabilities in a timely manner. Particularly, the goal of this project is to address the challenging problem of configuration-related security bugs in highly customizable high-performance computing environments. Detecting such vulnerabilities is a hard problem.

The stateof- the-art general vulnerability analyzers are unable to capture the specific runtime contexts of multiple interdependent software elements in specialized scientific computing environments. To bridge this gap, this project connects advanced bug-finding techniques to dedicated high-performance computing settings. In addition, it also seeks to leverage the unique characteristics of scientific computing environments to facilitate vulnerability discovery.

Hence, this research provides a comprehensive understanding of the software security problems in real-world scientific computing systems, and builds robust solutions to secure these systems.

Specifically, this project develops novel deployment-specific vulnerability detection techniques, that can (a) discover seemingly well-formed, yet inconsistent configuration values within scientific computing contexts, (b) detect cross-component vulnerabilities caused by the settings of interconnected computing software, and (c) take full advantage of the de facto workflow of high-performance computing systems to reduce the complexity of finding bugs. This research consists of three tasks: (1) it investigates the deployment contexts in real-world high-performance computing systems and develops both offline and online tools to automatically collect contextual information; (2) it applies extracted contexts to detecting misconfiguration and configuration-triggered code vulnerabilities at both deployment time and incrementally at runtime; (3) it tests the novel technique in real-world testbeds and scientific computing environments to evaluate its accuracy, efficiency and effectiveness.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.