CAREER: Toward a Principled Methodology for Trusted Software Patching

Many computer security applications necessitate the creation and deployment of updated or modified versions of existing software. In fact, the ability to deploy security-related software updates is now considered essential to guarantee a device's security. Unfortunately, in many scenarios, such as devices running legacy applications for which the source code is unavailable, reliably creating, deploying, and verifying software updates remains challenging.

As a result, many devices are left unpatched, even when known to be vulnerable to security weaknesses. To address this issue, this project will develop a principled and comprehensive methodology for developing, deploying, and verifying software patches. In particular, this work will ease software patching in scenarios where the original software source code is unavailable, allowing the deployment of security patches in millions of devices currently left unpatched.

Additionally, this project will produce educational materials and conduct security competitions to develop and assess software patches.

To achieve its goals, this project will start by developing differential binary-analysis techniques to compare original and patched binaries, focusing on the modifications introduced by the patch. These techniques will then be used to efficiently assess the security enhancements introduced by a patch while detecting potential unintended side effects.

In parallel, the project will develop reliable approaches to patch binary code at scale. Finally, the project will implement tools to generate human-readable representations of patch modifications to aid analysts in understanding the impact of patches and to update Software Bills of Materials (SBOMs). Collectively, these efforts will establish a comprehensive, human-in-the-loop pipeline for defining, generating, and verifying software patches at the binary level, thereby enhancing the security and reliability of current and future software systems.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.