GGrantIndex
← Search

CAREER: Next Generation Black-Box Web Application Vulnerability Analysis

$416,585FY2017CSENSF

Arizona State University, Scottsdale AZ

Investigators

Abstract

Recent sensitive data breaches are caused by overlooked vulnerabilities in web applications. To secure their web applications, companies typically hire professional hackers to break into their web applications. While this process finds vulnerabilities, it is costly and does not scale. Black-box vulnerability scanners attempt to automate this process. By treating the web application as a black-box (no knowledge of the source code of the application), these tools can discover unknown vulnerabilities. Traditionally, these tools work by crawling the web application, identifying input vectors, then injecting malicious input. However, despite being sold commercially for tens of thousands of dollars, the PI has shown that they are ineffective. This project aims to create a novel and effective black-box vulnerability analysis framework that finds unknown vulnerabilities in any web application. The PI proposes a novel technique called inductive reverse engineering which, using recent advances in inductive programming, can automatically reverse engineer an abstraction of the web application's source code. Then, the tool will use static analysis techniques to discover potential vulnerabilities in the abstraction of the reverse engineered code. The goal of this project is advance the state-of-the-art in black-box vulnerability analysis tools. All tools and techniques will be open-sourced, so that researchers and industry can benefit. Use of the tool on real-world software will result in more vulnerabilities found and fixed, thus improving software security as a whole. In addition, the PI will create and lead hands-on workshops that allow all CS students to study and exploit vulnerabilities, as well as understand the ethical considerations. The education modules and the software infrastructure required will be released.

View original record on NSF Award Search →