Automatically Hardening Web Applications

Papers -  People -  Talks 

Research Summary

Developing secure web applications is a difficult task even for expert programmers. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Unfortunately, existing techniques either require effort from the site developer or are prone to false positives.

The PHPrevent project seeks to provide a fully automated approach to securely hardening web applications. It is based on enhancing traditional taint mode analysis by precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values. This enables us to precisely check and filter for malicious inputs and dramaticaly reduce the rate of false positives.

While the concept of precise tainting is applicable to many environments, we have chosen to focus on PHP due to its growing market acceptance (PHP is currently installed with 50% of all Apache servers.)


Principal Investigators:
David Evans (University of Virginia)
Anh Nguyen-Tuong (University of Virginia)

Salvatore Guarnieri
Jeffrey Shirley
Doug Greene


Automatically Hardening Web Applications Using Precise Tainting
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans.
Twentieth IFIP International Information Security Conference (SEC 2005).
30 May - 1 June 2005, Chiba, Japan. (PDF, 12 pages)


Automatically Hardening Web Applications Using Precise Tainting [PPT]
(Salvatore Guarnieri). IFIP Security 2005, Chiba, Japan. June 1 2005.

Related Projects by the PIs

Genesis: Security through Diversity
Dependability Research Group
IPA — Inexpensive Program Analysis
Physicrypt — Physical Cryptography and Security Group
Swarm Computing

University of Virginia
Department of Computer Science
Dependability Research Group
Anh Nguyen-Tuong