ECE PhD Prospectus Defense- Rasoul Jahanshahi

3:00 pm on Friday, May 15, 2020
5:00 pm on Friday, May 15, 2020

Title: Improving the Security of Web Applications with Fuzzing and Runtime Defenses

Advisor: Professor Manuel Egele, ECE

Chair: Professor David Starobinski, ECE

Committee: Professor Gianluca Stringhini, ECE

Abstract: The growing number of users for web-based services, such as social networks, news, online stores, and financial services, makes these services an appealing source of sensitive information for the attackers. In 2018, one in ten requests was identified as a malicious request, which increased by 56% compared to the prior year [1]. Furthermore, based on an Imperva report [2], the number of discovered vulnerabilities in web apps increased by 17.6% in 2019 compared to 2018. Despite 20,362 discovered vulnerabilities in web apps in 2019 [2], current defenses rely on incomplete detection of vulnerable code or incomplete definitions of injection attacks, which leave web apps vulnerable. With the increasing involvement of users on the Internet and the amount of sensitive data that web-based services hold, web attacks will undoubtably continue to increase. This prospectus tackles the vulnerabilities of web apps by investigating two research areas: 1) Protecting vulnerable web apps using runtime defenses and 2) Identify vulnerabilities in web apps.

As my first contribution, I focus on runtime defense mechanisms to detect remote code execution attacks on PHP web apps by enforcing a customized system-call whitelist. I propose a novel generic approach to derive system-call policies automatically for the web apps, which reduces the attack surface that an exploit can leverage for malicious activity. Toward the same research objective, I improve the detection of SQL injection attacks as compared to prior works [3, 4, 5, 6] by building and enforcing a profile of benign queries. As part of my future work in this research area, I propose a defense mechanism for the PHP interpreter to confine the execution environment of third-party plugins of web apps. The second thrust of my research is to design an automated testing mechanism for web apps. Fuzzing is a popular approach in both academia and industry for discovering vulnerabilities in applications with high effectiveness [7]. As part of my future work, I plan to implement a _6;fuzzer that aims to evaluate the functionality of each method in the source code of a web app to discover type juggling vulnerabilities. These advances will bring us closer to safeguarding web apps from the attackers.