Trusted CI Webinar: No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, Monday September 22nd @ 10am Central

University of Utah's Stefan Nagy is presenting the talk, No Harness, No Problem: Extending Fuzzing’s Reach via Oracle-guided Harness Generation, on Monday September 22nd at 10am, Central time.

Please register here.

As NIST estimates that today's software contains up to 25 bugs per 1,000 lines of code, the prompt discovery of exploitable flaws is now crucial to mitigating the next big cyberattack. Over the last decade, the software industry mitigated increasing complexity by turning to a lightweight approach known as fuzzing: automated testing that uncovers program bugs through repeated injection of randomly-mutated test cases. Academia and industry have extensively studied fuzzing's three main challenges—input generation, program feedback collection, and, most critically, code harnessing—accelerating fuzzing to find many more vulnerabilities in less time. However, the critical nature of scientific computing—multi-purpose software toolkits, bespoke APIs, and high-performance environments—demands analogous advances in the vetting of scientific cyberinfrastructure. 

In this talk, I will showcase my group's research on automatic code harnessing, a key step toward making fuzzing scalable to today's complex scientific libraries. First, I will introduce our core approach Oracle-guided Harnessing: a technique that mutationally constructs and refines fuzzing harnesses using only library headers, validated through correctness oracles spanning compilation, execution, and coverage. Next, I will discuss our extensions of this approach to the C and Python library ecosystems, where it has uncovered over 70 previously-unknown security vulnerabilities and logical bugs across widely-used codebases. Finally, I will outline my vision for synergistic harnessing techniques that combine emergent large-language-model–driven methods with our Oracle-guided strategies, charting a path toward fully automatic, broadly applicable, and error-free harnessing.

Speaker Bio: 

Dr. Stefan Nagy is an Assistant Professor in the Kahlert School of Computing at the University of Utah, where he directs the FuTURES³ Lab. His work lies at the intersection of software engineering, computer systems, and security, with a focus on making automated vetting of software and systems more effective and efficient irrespective of kernel, architecture, and source code. His research frequently appears at top venues such as ICSE, USENIX Security, and ACM CCS, and has led to the discovery of more than 200 previously-unknown software bugs and security vulnerabilities (futures.cs.utah.edu/bugs). He holds a PhD from Virginia Tech and a BS from the University of Illinois at Urbana-Champaign.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

New Trusted CI Software Security Training Materials for the Community

In a world of continuous cyber attacks, cybersecurity is a responsibility of every person involved in the software development life cycle: managers, designers, developers, and testers. Trusted CI offers an evolving collection of training materials on software security covering topics such as secure design, secure implementation, testing, code auditing, dependency tools, static analysis tools, and fuzz testing.

The materials are freely available at https://www.cs.wisc.edu/mist/SoftwareSecurityCourse. Apart from videos and corresponding book chapters, they include hands-on exercises and quizzes for many of the topics. Classroom exercises and the solutions to the hands-on exercises and quizzes are provided to instructors by request. Most of the videos now have captions in both English and Spanish.

These materials are being continuously updated, as we develop new modules. The latest additions are modules on address space layout optimization (ASLR), memory safety checks, fuzz testing and using AFL, and dependency analysis tools.

These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. They are also used at the University of Wisconsin-Madison to teach CS542, Introduction to Software Security.

2021 Open OnDemand Engagement Concludes

Open OnDemand, funded by NSF OAC, is an open-source HPC portal based on the Ohio Supercomputer Center’s original OnDemand portal. The goal of Open OnDemand is to provide an easy way for system administrators to provide web access to their HPC resources.

Open OnDemand is facing increased community adoption. As a result, it is becoming a critical production service for many HPC centers and clients. Open OnDemand engaged with Trusted CI to improve the overall security of the project, ensuring that it continues to be a trusted and reliable platform for the hundreds of centers and tens of thousands of clients that regularly utilize it. 

Our engagement centered on providing the Open OnDemand team with the skills, tools and resources needed to ensure their software security. This included using the FPVA methodology to conduct in-depth vulnerability assessments independently. In addition, we evaluated the static analysis and dependency checking tools used by Open OnDemand. The analysis of this evaluation led to interesting findings regarding the way tools behave and a set of recommendations regarding which tools to use and how to most effectively configure them.

Trusted-CI has performed in-depth assessments for NSF projects in the past. In this engagement with Open OnDemand, we took a step forward as Trusted CI taught a group how to perform the assessment themselves. In general, the NSF community benefits from being able to carry out that kind of activity in an autonomous way.  In addition, the lessons in this engagement related to automated tools will benefit any NSF software project.

Open OnDemand Software Engineer, Jeff Ohrstrom, shared positive feedback regarding the value of the engagement, stating “The biggest takeaway for me was just getting muscle memory around security to start to think about attack vectors in every change, every commit, every time.”

Our findings and recommendations are summarized in our engagement report, which can be found here. 

Trusted CI Materials as the Foundation for a University Course at the University of Wisconsin-Madison

Software security is important to the NSF community because it is critical to their support of science. For example, Trusted CI’s Community Benchmarking Survey consistently finds the overwhelming majority of NSF projects and Large Facilities develop software and also adopts both open source and commercial software, whose quality they assess as part of a cybersecurity risk management.  Trusted CI recognises the importance of this issue and has focused the TrustedCI 2021 Annual Challenge on software assurance.

Trusted CI has been developing training materials to teach secure software design and implementation. These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. More recently, they were used at the University of Wisconsin-Madison to develop a new course on software security.  The new course, CS542, Introduction to Software Security (http://www.cs.wisc.edu/~bart/cs542.html), is part of the computer science curriculum at the University of Wisconsin-Madison.  The teaching materials support a blended (flipped) model. Lectures are based on video modules and corresponding text chapters, and the classroom time was used for collaborative exercises and discussions. The videos and text are supplemented by hands-on exercises for each module delivered in virtual machines. The online nature of these materials proved themselves to be of even greater value during the remote learning situation caused by the COVID-19 pandemic.

This new course covers security throughout the various stages of the software development life cycle (SDLC), including secure design, secure coding, and testing and evaluation for security.

These teaching materials are freely available at
https://www.cs.wisc.edu/mist/SoftwareSecurityCourse.

Some of the comments from the students at the end of the last class of the Spring 2021 course, taken from the chat window, include:

“Thank you for such an enlightening course! I had a lot of fun!”
“Thank you for a very insightful and interesting course.”
“Thanks for the semester! This class was very interesting and manageable I appreciate it”
“Is this only taught in the Spring? I'd like to recommend the class to some of my CS friends.”

300 students have benefitted from this course at the University of Wisconsin-Madison.

Trusted CI Webinar May 18th at 11am ET: Is Your Code Safe from Attack? with Barton Miller and Elisa Heymann

University of Wisconsin-Madison's Barton Miller and Elisa Heymann are presenting the talk, "Is Your Code Safe from Attack?" on May 18th at 11am (Eastern).  

This month's webinar is one week early to accommodate the Memorial day holiday.

Please register here. Be sure to check spam/junk folder for registration confirmation email.

The science and cyberinfrastructure community writes a huge quantity of software in the form of services, web applications, and infrastructure to support its mission. Each deployed software component can open your organization to the risk of attack, creating violations of data integrity and privacy, and provide unauthorized access to your computing and science infrastructure. An important part of preventing such attacks is an in-depth review of your code.

The goal of an in depth code review is to understand the structure of your software, identify the critical parts of code and the resources they control, understand trust and privilege, and then use this information to focus key parts of the code. Such a review can identify design issues, coding problems, and deployment mistakes. By focusing on the software structure and resources, you can anticipate types of vulnerabilities that have not yet been seen in the wild. This type of review can take beyond the capabilities of penetration testing.

We will briefly describe our First Principles Vulnerability Assessment (FPVA), which we have applied to a wide variety of real-world software, under the aegis of TrustedCI and other organizations. This software has included systems such as HTCondor, Wireshark, Singularity, Google Chrome, and even software that controls almost half the container shipping ports in the world.

We will describe our experiences with such assessments and discuss how you, as an organization that writes or deploys custom software can access or create such an assessment and how you would work with the assessment team. And, importantly, we will discuss how you respond to the identification of vulnerabilities in your software.

Speaker Bios:

Barton Miller is the Vilas Distinguished Achievement Professor, and Amar & Belinder Professor of Computer Sciences at the University of Wisconsin-Madison. He is also Chief Scientist for the DHS Software Assurance Marketplace (SWAMP) research facility, leads the software assurance effort for the NSF Cybersecurity Center of Excellence (TrustedCI), and co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations.

In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation". Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Miller was the chair of the IDA Center for Computing Sciences Program Review Committee, a member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, and has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area). Miller is a Fellow of the ACM.

Elisa Heymann is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin-Madison, and an Associate Professor at the Autonomous University of Barcelona. She co-directs the MIST software vulnerability assessment at the Autonomous University of Barcelona, Spain.

She coordinates in-depth vulnerability assessments for NFS Trusted CI, and was also in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects:  EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include software security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Spotlight on Software Assurance and Secure Coding

Bart & Elisa at Cal-Poly Pomona, 09/27/19

Software assurance is the secure design,coding, and assessment of software to ensure it is free from vulnerabilities and works as intended. Since its inception, Trusted CI has dedicated a portion of its engagements and community outreach to software assurance. Much of this work has been led by Profs. Barton P. Miller and Elisa Heymann from the University of Wisconsin-Madison. Through conducting engagements, training events, presenting talks, and building curricula, Bart and Elisa strive to teach programmers, analysts, and managers how to design and program secure software, and how to assess  software to find  flaws and make the software more difficult to be hacked.

Bart and Elisa have conducted numerous engagements for Trusted CI and other organizations. During one engagement for Trusted CI they conducted an in-depth vulnerability assessment of Singularity, an open source container platform optimized for high-performance computing (HPC) and scientific environments. The Open Science Grid engagement involved a vulnerability assessment of OSG's installment of HTCondor, a program that manages jobs submitted to the batch system. In another collaboration outside of Trusted CI, they evaluated Total Soft Bank's (TSB) Terminal Operating System, a system for managing maritime freight shipping, including that manages about 40 percent of container terminals in the world. That work resulted in significant improvements in the security of international shipping, reported in a paper published in Port Technology International.

The pair has conducted workshops for Internet2, Supercomputing, Science Gateways Community Institute (SGCI), IEEE, O’Reilly, the New Jersey FAA; and have traveled to Australia, Germany, South America, and India to give trainings. Much of their work is publicly accessible to broadcast it out to the widest audience possible. And their course, “Introduction to Software Security,” has recently been added to UW-Madison’s Spring 2020 undergrad curriculum. A pilot version of the course had 120 students enrolled, they are optimistic the spring course will be well attended. These training resources focus on real scenarios and hands-on learning to make a lasting impact on students. The training exercises have evolved over time to include different languages and operating systems. It should be noted that, depending on the language, some security problems can be reduced, but they don’t entirely go away.

The future of secure coding relies on as much education as possible. The number of people writing programs has increased at a breathtaking rate. The resources available to them must scale to meet these demands.

Updates about upcoming Trusted CI trainings are regularly posted on our home page. Applications for an engagement with Trusted CI during the early 2020 session are due October 2nd.

NTP Rescue: one year later

Over the past two weeks I've gotten to take a look back at one of CTSC's 2015 projects, the rescue of the Network Time Protocol reference implementation, and see how far-reaching its impact has been and will be. It began with a presentation titled "Saving Time" at O'Reilly Security Conference. In this presentation I talked about the rescue and what it meant as a model for saving other failing infrastructure software.

I told the story of how NTP had become a liability not just to the science projects that depend on accurate time, but to the internet as a whole.  CTSC had a chance to make a difference in a failing system by partnering with nonprofit ICEI in a short, intense intervention. About a year later the work we made possible has been carried on by others. The NTP Security Project (NTPSec) has taken the lead, resulting in a new life for this critical infrastructure:

• NTPSec's code base is down to 75kloc (75,000 lines of code) from the original 227klok.  That 2/3 reduction in attack surface has paid off: NTPSec has been immune to about half of old NTP's vulnerabilities before discovery, and 84% in the past year.
• NTPSec's code is now stored in a standard git repository, accessible to all.  Its documentation has been brought up to date, and the project has begun onboarding and training new developers.
• NTPSec's success has helped increase awareness of critical infrastructure in need, and made fixing it approachable.  Recent articles by Brady Dale of the NY Observer and the (in)famous Cory Doctorow helped spread the story.

At the time it felt like a scurrying few months amid a busy year. It seemed like a last ditch effort to ensure that our friends in science could get accurate time signals without taking on a security nightmare.  It's nice to see how much more it became.

Secure Coding tutorial accepted at XSEDE'14

Prof. Bart Miller will present his Secure Coding tutorial at XSEDE'14 on July 14th. With the recent coding flaws found in OpenSSL, this subject has become even more timely.

Watch this blog or the CTSC Twitter feed for more details.