NSF Award
2419798
Recent high-profile software-borne security breaches show that scientific research institutions are particularly targeted for their proximity to national security interests such as nuclear energy. Unfortunately, scientific software security is concerningly overlooked: despite having many exploitable security vulnerabilities and growing calls for more stringent secure development practices, the scientific community currently lacks the suitable tools to thoroughly vet their software. As much of the software world has embraced the vulnerability-finding strategy known as “fuzzing”, this project aims to transition recent advancements in cybersecurity, software engineering, and computer systems to enable thorough, systematic fuzzing of today’s complex scientific software. The outcomes of this proposal will enhance the overall security of scientific software—reducing the likelihood of future software-borne security breaches against the users, communities, and institutions that use it.<br/><br/>Existing fuzzing tools generally target small, single-language code with well-known input specifications, and thus fail to support the often multi-language, large, and esoteric nature of scientific software. Accordingly, this work aims to tackle these asymmetries by introducing (1) performant instrumentation with cross-language support; (2) fully-automated synthesis of thorough fuzzing harnesses; and (3) automated mining of formal input specifications. Beyond their release to the broader scientific software community, the tools and techniques resulting from this project are projected to be deployed on large-scale cyberinfrastructure through UVA’s ACCORD initiative as well as collaborating National Lab partners.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
