CAREER: A Framework for Preventing Web-based Attacks

职业：防止基于 Web 的攻击的框架

• 批准号: 0845894
• 负责人: Venkat Venkatakrishnan
• 金额: $ 40.5万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0845894&HistoricalAwards=false
• 关键词: CAREER; Framework; Preventing; Web; based

This award is funded under the American Recovery and Reinvestment Act of 2009 (Public Law 111-5).The World Wide Web is a critical infrastructure that serves our societyby facilitating information exchange, business andeducation. As it continues to evolve, the number of web-basedattacks that target innocent web users keeps increasing. Examples of such attacks include Cross-site Scripting, SQL Injectionand Cross-site Request Forgery. Recent attacks on end-users andonline enterprises through these virulent attacks have resulted inwidespread damage. Defending these attacks is therefore of very important concern to Internet economy and to society-at-large. This project develops a comprehensive plan for defending web applications from these attacks. The technical contributions of this project are in the development of thetechnologies that elicit the intended behavior of a web applicationand prevent attacks by enforcing these intended behaviors. We builda framework in which the intentions of a web application are represented using models, which are then enforced to ensure robust prevention of attacks. This framework uses novel techniques based on static and dynamicanalysis, symbolic evaluation, runtime checking and isolated execution as foundations. This project also developstechniques that enable a web application and a browser tocollaborate in order to prevent attacks, and apply fine-grainedrestrictions on Web content. The tools being developed in this project will have immediate impact on defending legacy web applications that are vulnerable to these attacks. The CAREER research project is closely tied with educationalefforts by integrating topics on web security in the undergraduate and graduate computer security classrooms. Finally, a collaborative effort with a Chicago inner-city elementary school is also part of this project's educational mission.

该奖项是根据2009年美国复苏和再投资法案（公法111-5）资助的。万维网是一个重要的基础设施，通过促进信息交换，商业和教育为我们的社会服务。随着它的不断发展，针对无辜网络用户的网络攻击数量不断增加。这类攻击的例子包括跨站脚本、SQL注入和跨站请求伪造。最近通过这些恶意攻击对最终用户和在线企业的攻击造成了广泛的损害。因此，防御这些攻击是互联网经济和整个社会非常重要的问题。该项目开发了一个全面的计划，以保护Web应用程序免受这些攻击。 该项目的技术贡献在于开发了能够引发Web应用程序预期行为的技术，并通过强制执行这些预期行为来防止攻击。我们构建了一个框架，其中Web应用程序的意图使用模型表示，然后强制执行，以确保强大的攻击预防。该框架使用了基于静态和动态分析、符号计算、运行时检查和隔离执行的新技术作为基础。该项目还开发了使Web应用程序和浏览器能够协作以防止攻击的技术，并对Web内容应用细粒度限制。 该项目中开发的工具将对保护易受这些攻击的传统Web应用程序产生直接影响。 职业研究项目与教育工作密切相关，将网络安全主题整合到本科生和研究生计算机安全教室中。最后，与芝加哥市中心小学的合作也是该项目教育使命的一部分。