Research Summary
Developing secure web applications is a difficult task even for expert programmers. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Unfortunately, existing techniques either require effort from the site developer or are prone to false positives.
The PHPrevent project seeks to provide a fully automated approach to
securely hardening web applications. It is based on enhancing traditional
taint mode analysis by
precisely tracking taintedness of data and checking specifically for dangerous
content only in parts of commands and output that came from untrustworthy
sources. Unlike previous work in which everything that is derived from tainted
input is tainted, our approach precisely tracks taintedness within data values. This enables us to precisely check and filter for malicious inputs and dramaticaly reduce the rate of false positives.
While the concept of precise tainting is applicable to many environments, we have chosen to focus on PHP due to its growing market acceptance (PHP is currently installed with 50% of all Apache servers.)
People
Principal Investigators:
David Evans (University of Virginia)
Anh Nguyen-Tuong (University of Virginia)
Students
Salvatore Guarnieri
Jeffrey Shirley
Doug Greene
Papers
Automatically Hardening Web Applications Using Precise Tainting
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley,
David Evans.
Twentieth IFIP International
Information Security Conference (SEC 2005).
30 May - 1 June 2005,
Chiba, Japan. (PDF, 12
pages)
Talks
Automatically Hardening Web Applications Using Precise Tainting
[PPT]
(Salvatore Guarnieri). IFIP Security 2005, Chiba, Japan. June 1 2005.
Related Projects by the PIs
Genesis: Security through Diversity
Dependability Research
Group
IPA — Inexpensive
Program Analysis
Physicrypt —
Physical Cryptography and Security Group
Swarm Computing