Lead PI, Fish Wang (UCSB SecLab graduate, now Assistant Professor at ASU) and Co-PIs Giovanni Vigna (UCSB SecLab) and Chris Kruegel (UCSB SecLab), were awarded an $11.7 million grant from DARPA CHESS program with their proposal titled, CHECRS: Cognitive Human Enhancements for Cyber Reasoning Systems.
Software vulnerabilities greatly impede the security, usability, and reliability of computer systems. Thus, the discovery and mitigation of software vulnerabilities, also known as vulnerability research, is crucial to the stability of society and the security of the nation. Despite the progress in the program and binary analysis in the past years, vulnerability research still involves a lot of manual effort, which limits its scalability and handicaps its applicability.
A fundamental obstacle to the automation of vulnerability research is the world knowledge and logical reasoning capabilities that machines do not possess (yet). To bring the scalability and applicability of vulnerability research to the next level, CHECRS proposes a new vulnerability analysis paradigm, where automation orchestrates and conducts the majority of vulnerability discovery and mitigation tasks, and additionally, absorbs human knowledge from expert and novice human collaborators on demand. The system that CHECRS proposes to build will allow effective and efficient vulnerability analysis on large, complex, and real-world software targets, such as word processors, web browsers, OS kernels, and so on.
The Computers and Humans Exploring Software Security (CHESS) program aims to develop capabilities to discover and address vulnerabilities of all types in a scalable, timely, and consistent manner. Achieving the necessary scale and timelines in vulnerability discovery will require innovative combinations of automated program analysis techniques with support for advanced computer-human collaboration. Due to the cost and scarcity of expert hackers, such capabilities must be able to collaborate with humans of varying skill levels, even those with no previous hacking experience or relevant domain knowledge.
Additional Co-PIs: Adam Doupé (UCSB SecLab graduate, now Assistant Professor at ASU), Yan Shoshitaishvili (UCSB SecLab graduate, now Assistant Professor at ASU), Tiffany Bao (UCSB SecLab visiting intern, now Assistant Professor at ASU), Alex Kapravelos (UCSB SecLab graduate, now Assistant Professor at NC State), Antonio Bianchi (UCSB SecLab graduate, now Assistant Professor at The University of Iowa), Yanick Fratantonio (UCSB SecLab graduate, now Assistant Professor at EURECOMM), Davide Balzarotti (UCSB SecLab Post-doc, now Professor at EUROCOM), Stephanie Forrest, and Chitta Baral