TWC: Small: Automated Security Testing for Applications Integrating Third-Party Services

TWC：小型：集成第三方服务的应用程序的自动化安全测试

• 批准号: 1422332
• 负责人: David Evans
• 金额: $ 50万
• 依托单位: University of Virginia Main Campus
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1422332&HistoricalAwards=false
• 关键词: TWC; Small; Automated; Security; Testing

Modern web and mobile applications increasingly rely on code and services from multiple parties, including services that provide security-critical functions like authentication, payments, and sharing. Developers often make mistakes in integrating these services into their applications that lead to serious security vulnerabilities. These integration failures are mainly due to failures to understand and ensure assumptions necessary for secure use of the external service. This project is developing a systematic explication process to uncover security-critical assumptions necessary for secure use of an external service, along with tools for automatically testing applications for vulnerabilities in integrating services.The project is creating a partially automated method that combines static and dynamic analysis techniques for building models of external services that are not available for direct analysis, and for using those models as part of an explicating process that explores the space of all reasonable applications that can be constructed using a service under threat from an unconstrained adversary. The uncovered vulnerabilities lead to automated testing tools for checking applications for vulnerabilities uncovered. Since these vulnerabilities concern sequences of interactions involving authenticated users, they cannot be detected by superficial analysis but require deep testing where a scanner can simulate the actions of a logged-in user. The scanner takes advantage of single sign-on services that are becoming increasingly popular to automate account registration and logins to enable deep, automated scanning of deployed applications. Expected results of the project include open source tools and web services that will enable large-scale deep scans of deployed applications, and that will provide developers with a convenient and easy to use tool to test their implementations for common vulnerabilities.

现代网络和移动应用越来越依赖于来自多方的代码和服务，包括提供安全关键功能（如身份验证、支付和共享）的服务。开发人员在将这些服务集成到他们的应用程序中经常犯错误，从而导致严重的安全漏洞。这些集成失败主要是由于未能理解和确保安全使用外部服务所需的假设。该项目正在开发一个系统的解释过程，以揭示安全使用外部服务所必需的安全关键假设，以及用于自动测试应用程序集成服务中的漏洞的工具。该项目正在创建一种部分自动化的方法，该方法结合了静态和动态分析技术，用于构建不能用于直接分析的外部服务模型，并将这些模型用作解释过程的一部分，该过程探索所有合理的应用程序的空间，这些应用程序可以在不受约束的对手的威胁下使用服务构建。未发现的漏洞导致使用自动测试工具来检查应用程序是否存在未发现的漏洞。由于这些漏洞涉及涉及经过身份验证的用户的交互序列，因此无法通过肤浅的分析检测到它们，而需要深入的测试，其中扫描仪可以模拟登录用户的操作。扫描器利用越来越流行的单点登录服务来自动化帐户注册和登录，从而对已部署的应用程序进行深度自动扫描。该项目的预期结果包括开源工具和web服务，这些工具和服务将支持对已部署的应用程序进行大规模深度扫描，这将为开发人员提供一个方便且易于使用的工具，以测试其常见漏洞的实现。