| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | August 8, 2011 |
| Latest Amendment Date: | August 8, 2011 |
| Award Number: | 1117167 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | October 1, 2011 |
| End Date: | September 30, 2014 (Estimated) |
| Total Intended Award Amount: | $199,994.00 |
| Total Awarded Amount to Date: | $199,994.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
926 DALNEY ST NW ATLANTA GA US 30318-6395 (404)894-4819 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
225 NORTH AVE NW ATLANTA GA US 30332-0002 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | TRUSTWORTHY COMPUTING |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Web applications are an increasingly important part of many aspects of the society, from social interactions to business transactions. Hence, security of web applications is an extremely important and urgent problem. Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a typical target for attackers. In particular, attacks that target input validation vulnerabilities are extremely common and effective. Some of these attacks exploit well-known vulnerabilities, such as cross-site scripting and SQL injection, whereas some others exploit application-specific vulnerabilities that are hard to identify because they depend on the particular input validation logic of the target application. In general, these attacks exploit erroneous or insufficient input validation and sanitization to inject malicious data that can result in execution of harmful commands and access to sensitive information.
This research aims to identify and mitigate these vulnerabilities in web applications by performing automatic checking of input validation and sanitization operations. The key insight for this work comes from the observation that developers often introduce redundant checks in both the front-end (client) and the back-end (server) component of a web application. Client-side checks are fast and can improve performance and responsiveness of the application, but can be easily circumvented; server-side checks are hard to circumvent, but require network round-trips and additional server-side processing. Our intuition is that the checks performed at the client and server sides should enforce the same set of constraints on the inputs: if client-side checks are more restrictive, the server may accept inputs that legitimate clients can never produce, as malicious users can easily bypass client-side checks. Conversely, if server-side checks are more restrictive, the client may produce requests that are subsequently rejected by the server, which is not ideal from a performance point of view. This research will develop new techniques based on program analysis, string analysis, and code synthesis that can identify, map, model, and compare the set of checks performed on the client and server sides. These techniques will be able to identify and report inconsistencies between the two sets of checks and (semi)automatically extend the checks to eliminate such inconsistencies. By making web applications more secure and efficient, this research has the potential to benefit the increasingly large part of the society that relies on the use of web applications for its daily activities.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Web applications are an increasingly prominent part of many aspects ofeverybody's life, from social interactions to business transactions. Hence,security and reliability of web applications are of fundamental importancetoday. Since web applications are easily accessible, and often store alarge amount of sensitive user information, they are a typical targetfor attackers. In particular, attacks that target input validationvulnerabilities are extremely common and effective. Some of these attacksexploit well-known vulnerabilities, such as cross-site scripting and SQLinjection, whereas some others exploit application-specific vulnerabilitiesthat are hard to identify because they depend on the particular inputvalidation logic of the target application. In many cases, these attacksexploit erroneous or insufficient input validation and sanitization toinject malicious data that can result in execution of harmful commandsand access to sensitive information.
The overall goal of this project was to identify and mitigate thesevulnerabilities in web applications by performing automatic checking ofinput validation and sanitization operations. To accomplish this goal,during the lifetime of the project, we developed new techniques based onprogram analysis, string analysis, and code synthesis for identifying,understanding, and possibly repairing web application vulnerabilities. Inaddition, we also developed techniques for addressing another familyof issues that affect web applications, that is, cross-browser andcross-platform incompatibilities, which can cause serious reliability andusability problems for such applications. In the rest of this report, wesummarize some of the main results achieved within the project in termsof intellectual merit and broader impact of the research.
Differential String Analysis for Discovering Client- and Server-Side Input Validation Inconsistencies: In web applications, it is not uncommonfor developers to perform either faulty or incomplete input checks,which can leave the web application susceptible to input validationvulnerabilities, such as cross-site scripting, which are among themost common and dangerous attacks for web applications. To address thesevulnerabilities, we defined ViewPoints, a novel approach for automaticallyidentifying input validation issues in web applications. ViewPoints isbased on the key insight that developers often introduce redundant checksboth in the front-end (client) and the back-end (server) component ofa web application. Based on this insight, ViewPoints compares the checksperformed at the client and server sides against each other, identifiesinconsistencies that indicate possible input validation vulnerabilities,and reports such inconsistencies to the user.
Differential Automated Repair: In addition to identifying inconsistenciesbetween input validation at the client and server sides, we also developedtechniques for automatically generating additional validation codethat can be added to the server and/or the client to make their checksconsistent. By doing so, such code can increase both the security of theweb application, when it strengthens server-side input validation, and alsoits responsiveness, when it strengthens client-side input validation. Whenused on a set of real-world web applications, our repair technique wasable to automatically generate repairs for real issues in the applications,thus demonstrating the practical viability of the approach.
Differential Analysis to Detect Cross-Browser and Cross-Platform Inconsistencies: In addition to input validation vulnerabilities, anotherissue with web applications is that they are susceptible to cross-browserand cross-platform incompatibilities. The former are discrepancies betweena web application's appearance, behavior, or both, when the application isrun on two different environments. The latter affects ...
Please report errors in award information by writing to: awardsearch@nsf.gov.
