NSF Award
2409269
Specifications, developer guides and other documentations of networked systems (e.g., Internet applications, carrier networks) describe how these systems are designed, used and operate. These documentations are important sources for understanding security weaknesses in these systems and have not been fully leveraged due to the difficulty in analyzing their imprecise, convoluted and ambiguous content. Project Audacity (AUtomated Documentation Analysis for seCurITY) aims at addressing the challenge for security weakness discovery and remedy. Its novelties are the development of innovative technologies to enable automated document analysis for security protection. The project’s broader significance and importance include transferring the technologies to industry, involving members from under-represented groups in the project and disseminating outcomes through K9-12 outreach and community services. <br/><br/>The project focuses on mitigating security risks of both design flaws and implementation vulnerabilities in networked systems, through automatically recovering security-related information (e.g., models, security properties) and confusing descriptions (e.g., inconsistent statements) from documentations to evaluate their security implications (e.g., verification of system designs, validation of predicted weaknesses on system implementations). This purpose is served by novel techniques based upon machine learning and natural language processing for analyzing different types of documentations, such as those for payment, single-sign-on, and for the 3rd Generation Partnership Project or 3GPP. Examples of such techniques include sentiment analysis for finding the statements related to security requirements and a similarity and differential analysis that compares different statements about similar security-critical operations to capture inconsistency. Furthermore, the project studies emerging techniques such as service syndication through comparing the documentations of different services and the 3GPP ecosystem from analyzing its public text data for risk measurement, identification and mitigation. This work complements program analysis to help enhance the security quality of networked systems, contributing to a better procedure and ecosystem that make security-critical documentations more precise, more consistent and less error-prone.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
