Candidate Talk: Techniques and Tools for Engineering Secure Web Applications

  • Gary Wassermann | University of California, Davis

Web applications enable much of today’s online business including banking,
shopping, university admissions, and various governmental activities.
Anyone with a web browser can access them, and the data they manage
typically has significant value both to the users and to the service
providers. Cross-site scripting (XSS) and SQL injection are classes of
attacks in which an attacker interacts with a client or database,
respectively, through vulnerabilities in the server thereby gaining the
trust level of the server. These classes of attacks are pervasive:
since 2005, they have been the most frequently reported classes
of vulnerabilities. These vulnerabilities arise because web applications’
layers (client, server, and database) communicate via unstructured strings,
and validating untrusted input for use in these commands is error-prone and
introduces a challenging software engineering problem.

In this talk, I will present a general characterization of these classes of
input validation-based errors and a set of dynamic and static techniques to
detect and prevent XSS and SQL injection attacks. Programmers usually do
not specify their intentions explicitly regarding SQL query construction,
but I will show how we can use principled techniques to characterize
programmer intentions. We can then prevent attack queries from being sent
to the database with a low-overhead, runtime check that precisely
distinguishes legitimate queries from attacks. In order to help find bugs
early in the software development process, I also pursued static analysis,
and I will describe a sound and precise analysis that scales to large,
real-world web applications and found known and unknown SQL injection
vulnerabilities. I will further present how we extended this static
analysis to the related but more difficult problem of XSS. I will conclude
this talk by discussing future challenges in this domain.

Speaker Details

Gary Wassermann is a Ph.D. candidate in Computer Science at UC Davis, where he specializes in software engineering and programming languages. His current research focuses on software reliability and security. He received his B.S. in Computer Science also from UC Davis. Gary is a recipient of the GAANN fellowship.

Watch Next