CAREER: Next Generation Black-Box Web Application Vulnerability Analysis

职业：下一代黑盒 Web 应用程序漏洞分析

• 批准号: 1651661
• 负责人: Adam Doupe
• 金额: $ 41.66万
• 依托单位: Arizona State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-05-01 至 2023-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1651661&HistoricalAwards=false
• 关键词: CAREER; Next; Generation; Black; Box

Recent sensitive data breaches are caused by overlooked vulnerabilities in web applications. To secure their web applications, companies typically hire professional hackers to break into their web applications. While this process finds vulnerabilities, it is costly and does not scale. Black-box vulnerability scanners attempt to automate this process. By treating the web application as a black-box (no knowledge of the source code of the application), these tools can discover unknown vulnerabilities. Traditionally, these tools work by crawling the web application, identifying input vectors, then injecting malicious input. However, despite being sold commercially for tens of thousands of dollars, the PI has shown that they are ineffective. This project aims to create a novel and effective black-box vulnerability analysis framework that finds unknown vulnerabilities in any web application.The PI proposes a novel technique called inductive reverse engineering which, using recent advances in inductive programming, can automatically reverse engineer an abstraction of the web application's source code. Then, the tool will use static analysis techniques to discover potential vulnerabilities in the abstraction of the reverse engineered code. The goal of this project is advance the state-of-the-art in black-box vulnerability analysis tools. All tools and techniques will be open-sourced, so that researchers and industry can benefit. Use of the tool on real-world software will result in more vulnerabilities found and fixed, thus improving software security as a whole. In addition, the PI will create and lead hands-on workshops that allow all CS students to study and exploit vulnerabilities, as well as understand the ethical considerations. The education modules and the software infrastructure required will be released.

最近的敏感数据泄露是由网络应用程序中被忽视的漏洞造成的。为了保护他们的网络应用程序，公司通常会雇佣专业黑客侵入他们的网络应用程序。虽然这一过程会发现漏洞，但成本很高，而且不能扩展。黑盒漏洞扫描程序试图自动执行此过程。通过将Web应用程序视为黑匣子(对应用程序源代码一无所知)，这些工具可以发现未知漏洞。传统上，这些工具的工作方式是爬行Web应用程序，识别输入向量，然后注入恶意输入。然而，尽管PI的商业售价高达数万美元，但它已经表明它们是无效的。该项目旨在创建一个新的有效的黑盒漏洞分析框架，以发现任何Web应用程序中的未知漏洞。PI提出了一种称为归纳逆向工程的新技术，该技术利用归纳编程的最新进展，可以自动对Web应用程序源代码的抽象进行逆向工程。然后，该工具将使用静态分析技术来发现反向工程代码抽象中的潜在漏洞。该项目的目标是推进最先进的黑匣子漏洞分析工具。所有的工具和技术都将是开源的，这样研究人员和产业界都能受益。在现实软件上使用该工具将导致发现和修复更多漏洞，从而提高软件整体安全性。此外，PI将创建和领导实践研讨会，让所有CS学生学习和利用漏洞，并了解伦理考虑。将发布所需的教育模块和软件基础设施。