TC: Small: Keeping Jack in the Box: Confining the Role of Untrusted Inputs in Web Scenarios

TC：小：将 Jack 留在盒子里：限制不可信输入在 Web 场景中的作用

• 批准号: 0917229
• 负责人: Venkat Venkatakrishnan
• 金额: $ 45万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0917229&HistoricalAwards=false
• 关键词: TC; Small; Keeping; Jack; Box

A significant number of attacks on Web browsers and Web applicationsare successful through the use of malicious inputs.For instance, attacks on web browser extensions target browsers byexploiting vulnerable extensions (add-ons) by supplying malicious input. Malicious inputs exercise unintended behaviors leading to attacks thatcompromise confidentiality, integrity andavailability of web-based systems. This project systematicallyexamines the role that user inputs play in web browsers and applications, and develops techniques to prevent these attacks by confining their influence. The challenge is to develop sound and precise automated analysis mechanisms for web based platforms such as JavaScript. Research from the areas of static and dynamic analysis, information flow tracking and learning program behaviorswill be used to develop robust, efficient and highly precise techniques.Papers from the project will be distributed in popular onlineresources for Web security for the widest possible dissemination andfurther enhancement. Furthermore, the PIs will transition results fromthis research to Web development and standards communities. The results of this project will be integrated into the new andexisting courses in the undergraduate and graduate curricula at theUniversity of Illinois campuses at Chicago and Urbana Champaign. These courses will train a growing workforce of software engineerswho will be more security-aware and apply these principles forlaying a platform for a more secure Web. This project will also directlycontribute to the research training of three Ph.D. studentssupervised by the PIs. This project will also support the involvementof the PIs in outreach activities aimed at K-12 teacher training andminority groups, and contributions by designing programs that createawareness and interest in computer science.

大量针对Web浏览器和Web应用程序的攻击是通过使用恶意输入而成功的。例如，针对Web浏览器扩展的攻击通过提供恶意输入来利用易受攻击的扩展（加载项）来攻击浏览器。恶意输入会执行非预期的行为，从而导致攻击，危及基于Web的系统的机密性、完整性和可用性。该项目系统地研究了用户输入在Web浏览器和应用程序中的作用，并开发了通过限制其影响来防止这些攻击的技术。挑战在于为基于Web的平台（如JavaScript）开发合理且精确的自动分析机制。从静态和动态分析，信息流跟踪和学习程序行为领域的研究将用于开发健壮，高效和高度精确的技术。该项目的论文将在流行的网络安全在线资源中分发，以便尽可能广泛地传播和进一步提高。此外，PI将把这项研究的结果转移到Web开发和标准社区。该项目的成果将被整合到位于芝加哥和厄巴纳尚潘的伊利诺伊大学校园的本科生和研究生课程的新课程和现有课程中。这些课程将培养越来越多的软件工程师，他们将更加安全意识，并应用这些原则为更安全的Web奠定平台。本项目还将直接资助三位博士的研究培训。学生们由私家侦探监督。该项目还将支持PI参与针对K-12教师培训和少数群体的外展活动，并通过设计提高对计算机科学的认识和兴趣的计划做出贡献。