Selected Publications

The publications selected highlight my research interests, ranging from large-scale grid systems to security.

Automatically Hardening Web Applications Using Precise Tainting

Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values.

From Legion to Avaki: The Persistence of Vision

Andrew S. Grimshaw, Anand Natrajan, Marty A. Humphrey , Michael J. Lewis , Anh Nguyen-tuong, John F. Karpovich , Mark M. Morgan , Adam J. Ferrari

Grids have metamorphosed from academic projects to commercial ventures. Avaki, a leading commercial vendor of Grids, has its roots in Legion, a Grid project at the University of Virginia begun in 1993. In this chapter, we present fundamental challenges and requirements for Grid architectures that we believe are universal, our architectural philosophy in addressing those requirements, an overview of Legion as used in production systems and a synopsis of the Legion architecture and implementation. We also describe the history of the transformation from Legion an academic, research project to Avaki, a commercially supported, marketed product. Several of the design principles as well as the vision underlying Legion have continued to be employed in Avaki. As a product sold to customers, Avaki has been made more robust, more easily manageable and easier to configure than Legion, at the expense of eliminating some features and tools that are of less immediate use to customers. Finally, we place Legion in the context of OGSI, a standards effort underway in Global Grid Forum.

N-variant systems: A secretless framework for security through diversity

Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser

We present an architectural framework for systematically using automated diversity to provide high assurance detection and disruption for large classes of attacks. The framework executes a set of automatically diversified variants on the same inputs, and monitors their behavior to detect divergences. The benefit of this approach is that it requires an attacker to simultaneously compromise all system variants with the same input. By constructing variants with disjoint exploitation sets, we can make it impossible to carry out large classes of important attacks. In contrast to previous approaches that use automated diversity for security, our approach does not rely on keeping any secrets. In this paper, we introduce the N-variant systems framework, present a model for analyzing security properties of N-variant systems, define variations that can be used to detect attacks that involve referencing absolute memory addresses and executing injected code, and describe and present performance results from a prototype implementation.

For a full list of publications with their citation count, see my profile on Google Scholar.