Project description DEENESFRITPL Removing malicious data to protect software Effective protection represents a major concern for systems software and considerable efforts have been made to find a solution. However, it is estimated that every month approximately 60 security bugs are detected. This is because systems software is vulnerable to low level bugs from undefined behaviour. The EU-funded CodeSan project proposes an inclusive method that ameliorates code quality. Code sanitisation software offers automatic bug detection during development and protects established software through reflective alleviations. CodeSan is an enthralling, inclusive and flexible method to efficiently manage undefined behaviour for complex software systems. It can reliably defend large software systems such as Google Chromium and Mozilla Firefox. Show the project objective Hide the project objective Objective Despite massive efforts in securing software, about 60 security bugs are publicly reported each month. Systems software is prone to low level bugs caused by undefined behavior (memory corruption, type confusion, or API confusion). Exploits abuse undefined behavior to execute attacker specified code, or to leak information. We propose code sanitization (CodeSan), a comprehensive approach to improve code quality. CodeSan will sanitize software by (i) automating bug discovery during development through software testing and (ii) protecting deployed software through reflective mitigations. CodeSan trades formal completeness for practical scalability in three steps: First, policy-based sanitization makes undefined behavior (through violations of memory safety, type safety, or API flow safety) explicit and detectable given concrete test inputs. Second, automatic test case generation increases testing coverage for large programs without the need for pre-existing test cases, enabling broader and automated use of policy-based sanitization. Third, for deployed software, reflective mitigations place runtime checks precisely where they are needed based on data-flow and control-flow coverage from our testing efforts. CodeSan complements formal approaches by protecting software that is currently out of reach due to its size, complexity, or low level nature.CodeSan is a compelling, comprehensive, and adaptive approach to thoroughly address undefined behavior for complex software. The three proposed thrusts complement each other naturally and will immediately guard large software systems such as Google Chromium, Mozilla Firefox, the Android system, or the Linux kernel, making them resilient against attacks.In line with PI Payer’s track record on open sourcing his group’s research artifacts on cast sanitization, transformative fuzzing, or control-flow hijacking mitigations, all prototypes produced during CodeSan will be released as open-source. Fields of science natural scienceschemical sciencesinorganic chemistrytransition metalsnatural sciencescomputer and information sciencessoftwaresoftware applicationssystem softwaresocial sciencessociologysocial issuescorruption Programme(s) H2020-EU.1.1. - EXCELLENT SCIENCE - European Research Council (ERC) Main Programme Topic(s) ERC-2019-STG - ERC Starting Grant Call for proposal ERC-2019-STG See other projects for this call Funding Scheme ERC-STG - Starting Grant Coordinator ECOLE POLYTECHNIQUE FEDERALE DE LAUSANNE Net EU contribution € 1 499 970,00 Address Batiment ce 3316 station 1 1015 Lausanne Switzerland See on map Region Schweiz/Suisse/Svizzera Région lémanique Vaud Activity type Higher or Secondary Education Establishments Links Contact the organisation Opens in new window Website Opens in new window Participation in EU R&I programmes Opens in new window HORIZON collaboration network Opens in new window Other funding € 0,00 Beneficiaries (1) Sort alphabetically Sort by Net EU contribution Expand all Collapse all ECOLE POLYTECHNIQUE FEDERALE DE LAUSANNE Switzerland Net EU contribution € 1 499 970,00 Address Batiment ce 3316 station 1 1015 Lausanne See on map Region Schweiz/Suisse/Svizzera Région lémanique Vaud Activity type Higher or Secondary Education Establishments Links Contact the organisation Opens in new window Website Opens in new window Participation in EU R&I programmes Opens in new window HORIZON collaboration network Opens in new window Other funding € 0,00