TC: Small: Runtime and Static Analysis for Web Application Security

TC：小型：Web 应用程序安全的运行时和静态分析

• 批准号: 0917392
• 负责人: Zhendong Su
• 金额: $ 42.4万
• 依托单位: University of California-Davis
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0917392&HistoricalAwards=false
• 关键词: TC; Small; Runtime; Static; Analysis

Web applications are prevalent and enable much of today's onlinebusiness including banking, shopping, university admissions, and variousgovernmental activities. However, the quality of such applications isusually low, and they are increasingly popular targets for attack. Thisproject aims at developing practical testing and analysis mechanisms andtools to secure web applications. In particular, it focuses ondeveloping novel, principled techniques to address the followingresearch issues: (1) how to formalize security threats in webapplications; (2) how to provide runtime security for deployedapplications via dynamic monitoring; and (3) how to provide staticsecurity enforcement during application development and testing.The project is interdisciplinary, touching upon a number of requisiteareas including computer security, software engineering, and programminglanguages. It has the potential to advance knowledge in each of thesedisciplines with novel formulations of security requirements, systemsconcepts, and advanced testing and analysis techniques. The projectalso has the potential for significant industrial and societal impact.Through the proposed research, education, and outreach activities, theproject will empower web application developers with the knowledge,methodologies, and development tools to build secure webapplications. Testing and analysis tools developed in the project willalso be distributed to other institutions and the industry for teaching,research, and experimental evaluation.

Web应用程序很普遍，并且可以使当今的大部分在线企业包括银行，购物，大学招生和各种政府活动。 但是，此类应用程序的质量非常低，并且它们是越来越受欢迎的攻击目标。 该项目旨在开发实用的测试和分析机制和工具来确保Web应用程序。特别是，它集中于开发小说，有原则的技术来解决以下研究问题：（1）如何在WebApplications中正式化安全威胁； （2）如何通过动态监视为部署申请提供运行时安全性； （3）如何在应用程序开发和测试期间提供静态性执行。该项目是跨学科的，涉及许多必需的重读，包括计算机安全，软件工程和编程语言。它有潜力通过安全要求，系统评估以及先进的测试和分析技术来推进每个学科的知识。 该投影有可能产生重大的工业和社会影响。通过拟议的研究，教育和外展活动，该项目将使Web应用程序开发人员拥有知识，方法和开发工具，以构建安全的WebApplications。项目中开发的测试和分析工具将分发给其他机构，以及用于教学，研究和实验评估的行业。