Newswise — The National Science Foundation (NSF) has selected an NYU Tandon School of Engineering researcher who is developing better ways to assess vulnerability discovery tools – thus allowing cybersecurity professionals to better understand what techniques are most effective and ultimately leading to safer software – to receive its most prestigious award for promising young academics.
Brendan Dolan-Gavitt, an assistant professor in the Department of Computer Science and Engineering and a faculty member of NYU’s Center for Cybersecurity, received a 2022 NSF Faculty Early Career Development Award, more widely known as a CAREER Award, which supports early-career faculty who have the potential to serve as academic role models in research and education.
A five-year, $500,000 grant will support a project that aims to create techniques for automatically generating benchmark corpora of software vulnerabilities that can be used to rigorously assess newly developed and existing tools used to root out dangerous programming bugs.
Software vulnerabilities pose a major threat to the safety and security of computer systems, and while there is a large body of research on how to find vulnerabilities in programs, the large, empirically tested corpora of vulnerabilities required to rigorously test that research are difficult and expensive to assemble.
Although researchers have discovered ways to automatically generate vulnerabilities and inject them into software, the vulnerabilities created in that way are unrealistic (containing artifacts that made them easier to discover than real vulnerabilities inadvertently created by human programmers) and not varied enough.
Dolan-Gavitt intends to address those shortcomings by employing large language models trained on code to synthesize vulnerabilities that are both realistic and diverse, placing vulnerabilities in hard-to-discover paths, allowing new vulnerability classes to be added quickly with a customized domain-specific language, and automatically generating exploits for each vulnerability. The end result will be a limitless supply of highly realistic vulnerability corpora that can be generated cheaply, at scale, and on-demand, giving researchers valuable benchmarks in measuring the efficacy of their cybersecurity tools.
In addition to his work’s benefit to cybersecurity researchers and industry professionals, it is also expected to be a boon to educators. Since joining NYU Tandon in 2015, Dolan-Gavitt has been involved in CSAW, the most comprehensive student-run cybersecurity event in the world, and among the most popular offerings at the annual event is a “capture the flag” competition that challenges students to find vulnerabilities in a software program. “These types of competitions are an extremely popular and effective means of teaching a variety of cybersecurity skills, but they require large amounts of time, money, and expertise to create and manage,” he explains. “If the creation of the challenges can be partially or wholly automated, it could bring new educational opportunities within reach of a broader and more diverse population of students by dramatically lowering costs and reducing the time and effort needed.”
“Brendan Dolan-Gavitt is helping place the field of vulnerability finding on solid scientific footing, allowing for repeatable and reproducible experiments and facilitating comparative evaluations of the cyber tools meant to protect us,” said NYU Tandon Dean Jelena Kovačević. “His work has the potential to make a major impact on cybersecurity education, broadening access and helping to build the next generation of security researchers. We’re proud that his techniques will be employed right here in our own cybersecurity courses and at CSAW and pleased that the NSF has chosen him to receive this much-deserved CAREER Award.”
Dolan-Gavitt joins the over 50% of NYU Tandon’s engineering junior faculty members who hold CAREER Awards or similar young-investigator honors, including 10 since 2019 alone.
His award reflects the NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.