SIFT wins HACKAR: Helpful Advice and Coding Knowledge for Attack Resistance

SIFT is awarded a 3-year research contract by the Office of Naval Research. The project is entitled "HACKAR: Helpful Advice and Coding Knowledge for Attack Resistance." The HACKAR project will be a new approach to proactive analysis, detection, and diagnosis of vulnerabilities in functions and modules at development time. HACKAR will help programmers by providing advice and coding knowledge for addressing potential vulnerabilities in their code, so that programmers can be aware of these threats and fix them before the code is deployed. HACKAR will use automated, proactive testing techniques to find inputs that lead to potential vulnerabilities and couple these techniques with models and algorithms for workflow generation and reasoning. For more information, please contact Ugur Kuter at ukuter@sift.net.

Present day software development requires programmers to make design decisions continuously about implementation patterns in light of the expectation that the code once deployed will be run in adverse and unconstrained environments. These decisions, once made and reflected in code are often forgotten, making it difficult later to find hidden vulnerabilities. Even more often, developers may not have knowledge of the vulnerabilities in a piece of software that they rely on, so are not even conscious that they have a decision to make.

For programmers to write code that is robust to security threats, they must know about the input and output specifications of each imported or remote function they utilize, usually to a degree that is beyond what is documented. This presents some unique challenges. Even a simple example illustrates this: The common C++ library function sscanf can be used to parse arguments to a unix procedure. However, unless a sufficiently large buffer is provided to receive the answer (larger than any input string provided), the transmission of external inputs through that call can cause a buffer overflow that is susceptible to attack. Thus, user provided inputs must be truncated in the calling code written by the programmer, in a way consistent with the size of the buffer he or she provides. As this goes beyond specification of the types and purposes of the arguments to sscanf, the programmer may not be aware of this pitfall and the idioms that are appropriate to counteract it. The problems only get worse if the function being called is itself complex and uses such insecure functions internally, and so is itself insecure. Developers desperately need tools that will make them aware of these insecurities so that they can be fixed early on.

HACKAR will address the Cyber Security challenge of the ONR Special Notice 0012 with novel development-time techniques to find potential vulnerabilities in programmers’ code. Like modern static-analysis tools, HACKAR will automatically identify problems in software during development. However, HACKAR will accomplish this by dynamically testing code fragments using fuzzed inputs to find and localize potential vulnerabilities. The system will explain identified vulnerabilities by using information obtained from those dynamic executions of code fragments, and suggest fixes to those vulnerabilities.

Our research objectives in HACKAR are to provide (1) a theoretical foundation that unifies and extends elements of both fuzz-based code testing and Artificial Intelligence (AI) techniques; (2) algorithms for simulating dynamic execution of a code fragment that is being developed and identifying vulnerabilities in that code fragment; (3) algorithms for generating workflows from functional analysis of the users’ code; and (4) algorithms that can produce explanations and human- understandable advice about ways to fix the identified vulnerabilities. We will evaluate our new algorithms both theoretically, by extensive mathematical analyses, and experimentally, by design- ing experiments with synthetic data as well as by developing a demonstration prototype that will be plugged in a development environment.