Internet-Wide Vulnerability Measurement, Assessment, and Notification
funded by the National Science Foundation
researchers: J. Alex Halderman (University of Michigan, Ann Arbor), Vern Paxson (ICSI, UC Berkeley), Michael Bailey
Vulnerable software costs the U.S. economy more than $180 billion a year, and large-scale, remotely exploitable vulnerabilities affecting millions of Internet hosts have become a regular occurrence. This project seeks to reduce the impact of software vulnerabilities in Internet-connected systems by developing data-driven techniques for vulnerability measurement, assessment, and notification. Recent advances in Internet-wide scanning make it possible to conduct network surveys of the full public IPv4 address space in minutes. These advances, in turn, offer the promise of truly effective community responses: when new vulnerabilities are announced, the Internet security community can comprehensively identify the systems that suffer from these vulnerabilities and automatically take steps to help affected system operators correct the problems.
In order to accomplish this vision, the project is addressing three interconnected classes of security research tasks.
- Developing new techniques for vulnerability measurement, including creation of improved security measurement techniques that function at a global scale, in the presence of heterogeneous network systems, and in a timely, accurate, complete, and ethical manner.
- Creating new vulnerability assessment methods that lower the barriers faced by researchers seeking to access and analyze vulnerability measurement data, in order to maximize security benefits.
- Exploring new notification mechanisms that achieve targeted and effective notification of affected organizations, and that can be delivered and acted upon quickly in response to the emergence of new threats.
As an intellectual challenge, these thrusts represent a unique opportunity to explore the trustworthiness of large, heterogeneous, networked distributed systems. More broadly, the project seeks to directly impact the availability and reliability of the Internet and provide the security community with tools, platforms, and comprehensive vulnerability measurement data.