The Department of Homeland Security (DHS) reports that 90% of cyberattacks stem from insecure software; according to the White House, this resulted in $109 billion dollars of damage to the U.S. economy in 2016 alone. As the National Institute of Standards and Technology (NIST) estimates that today’s software contains up to 25 bugs per 1,000 lines of code, the prompt discovery of exploitable flaws is now crucial to mitigating the next big cyberattack, but the ever-increasing complexity of software makes manual analysis and formal verification infeasible. Over the last decade, the software industry mitigated increasing complexity by turning to a lightweight approach known as fuzzing: automated testing that uncovers program bugs through repeated injection of randomly-mutated test cases. Academia and industry have extensively studied fuzzing’s three main challenges—input generation, code harnessing, and program feedback collection—accelerating fuzzing to find many more vulnerabilities in less time. However, the critical nature of scientific computing—multi-purpose software toolkits, bespoke APIs, and high-performance environments—demands analogous advances in the vetting of scientific cyberinfrastructure.

Unfortunately, the semantic gaps between conventional and scientific computing leaves fuzzing far less effective on scientific software: the lack of scalable, cross-language program analysis and instrumentation hinders the fuzzing of today’s complex, multi-language scientific applications; and worse yet, the intricate, highly-structured data formats expected by scientific software are seldom formalized, restricting the world’s most powerful fuzzers to testing only surface-level code. These asymmetries limit scientific software developers
from thoroughly vetting their code, and impede responsible vulnerability disclosure efforts for high-value targets like the PETSc and SciPy scientific APIs. Thus, combating the ever ever-increasing threat of cyber attacks targeting critical scientific cyberinfrastructure demands that high-performance, systematic fuzzing techniques be transitioned to today’s scientific software ecosystem.

This project will transition research in cybersecurity, software engineering, and systems to bring thorough, systematic vetting to scientific software:

• Cross-Language Instrumentation: We will adapt state-of-the-art code instrumentation platforms to enable effective feedback-guided fuzzing of software comprising multiple programming languages; as well as the tracking of cross-language program events toward accelerated vulnerability discovery.

• Automatic Interface Harnessing: We will introduce mutation testing for automating synthesis of fuzzing interfaces, injecting fuzzer-generated test data directly to programs’ core functionality; and integrate these systems within key software development platforms toward proactive pre-release security vetting.

• Input Specification Extraction: We will repurpose program analysis techniques for reconstructing the structure and semantics of scientific software’s complex input data formats; and redesign existing tooling to leverage these retrieved input specifications for thoroughly auditing scientific application code.