CAREER: A Framework for Preventing Web-based Attacks

职业：防止基于 Web 的攻击的框架

• 批准号: 0845894
• 负责人: Venkat Venkatakrishnan
• 金额: $ 40.5万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0845894&HistoricalAwards=false
• 关键词: CAREER; Framework; Preventing; Web; based

This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).The World Wide Web is a critical infrastructure that serves our societyby facilitating information exchange, business andeducation. As it continues to evolve, the number of web-basedattacks that target innocent web users keeps increasing. Examples of such attacks include Cross-site Scripting, SQL Injectionand Cross-site Request Forgery. Recent attacks on end-users andonline enterprises through these virulent attacks have resulted inwidespread damage. Defending these attacks is therefore of very important concern to Internet economy and to society-at-large. This project develops a comprehensive plan for defending web applications from these attacks. The technical contributions of this project are in the development of thetechnologies that elicit the intended behavior of a web applicationand prevent attacks by enforcing these intended behaviors. We builda framework in which the intentions of a web application are represented using models, which are then enforced to ensure robust prevention of attacks. This framework uses novel techniques based on static and dynamicanalysis, symbolic evaluation, runtime checking and isolated execution as foundations. This project also developstechniques that enable a web application and a browser tocollaborate in order to prevent attacks, and apply fine-grainedrestrictions on Web content. The tools being developed in this project will have immediate impact on defending legacy web applications that are vulnerable to these attacks. The CAREER research project is closely tied with educationalefforts by integrating topics on web security in the undergraduate and graduate computer security classrooms. Finally, a collaborative effort with a Chicago inner-city elementary school is also part of this project's educational mission.

该奖项是根据2009年的《美国复苏与再投资法》（公法111-5）资助的。全球网络是一个关键的基础设施，可为我们的社会提供促进信息交流，商业和教育的服务。随着它的不断发展，针对无辜网络用户的基于Web的攻击数量一直在增加。此类攻击的例子包括跨站点脚本，SQL注入和跨站点请求伪造。最近，通过这些强大的攻击对最终用户和最终的企业进行了攻击。因此，捍卫这些攻击对于互联网经济和一般社会非常重要。该项目制定了一项全面的计划，用于捍卫这些攻击中的Web应用程序。 该项目的技术贡献在于开发技术，这些技术引起了Web应用程序的预期行为，并通过执行这些预期的行为来防止攻击。我们构建了使用模型代表Web应用程序的意图的框架，然后强制执行以确保防止攻击的强大预防。该框架使用基于静态和动态分析，符号评估，运行时检查和孤立执行作为基础的新技术。该项目还开发了启用Web应用程序和浏览器to Collaberation的策略，以防止攻击，并对Web内容应用细粒度。 该项目中开发的工具将立即影响捍卫容易受到这些攻击的旧版Web应用程序。 职业研究项目与DeviniceAlefforts紧密相关，通过整合本科和研究生计算机安全教室中的Web安全主题。最后，与芝加哥市中心小学的合作努力也是该项目的教育任务的一部分。