CAREER: Black-Box Learning of Web Application Authorization Policies
职业:Web 应用程序授权策略的黑盒学习
基本信息
- 批准号:2047623
- 负责人:
- 金额:$ 57.47万
- 依托单位:
- 依托单位国家:美国
- 项目类别:Continuing Grant
- 财政年份:2021
- 资助国家:美国
- 起止时间:2021-10-01 至 2026-09-30
- 项目状态:未结题
- 来源:
- 关键词:
项目摘要
Web applications have become the de facto way to access services and functionalities. It is vital to ensure that different users of web applications are only allowed to access what they are supposed to, i.e., implementing correct authorization. But, unfortunately, broken access control and authorization has been constantly ranked as one of the top web application vulnerabilities. In fact, many web applications cannot provide an accurate specification of their enforced authorization policies due to challenges such as code complexity and fast-paced development. Neither end users nor even developers of the applications could reason about data protection in this environment. To address this problem, this research project devises a novel framework for learning fine-grained authorization policies from web applications without relying on access to their source codes or understanding other internal complexities. The project develops an integrated research and education program to train the next generation of cybersecurity workforce at the intersection of security/privacy, machine learning, and web technologies. Since web-based systems are pervasive in our society, the developed framework and associated solutions will significantly contribute to system safety and user privacy. Furthermore, due to their black-box design, the developed techniques will be critical assets to investigate data authorization practices of applications outside their development environments by application adopters (e.g., companies deploying outsourced applications) and third parties acting in the interest of end users (e.g., security/privacy researchers and regulators investigating compliance with privacy laws and expectations). The project engages a diverse body of students especially from underrepresented groups in security and privacy research and exposes the broad community to security and privacy topics through outreach activities.This research project develops a novel paradigm for automated learning of web application authorization policies that significantly improves ensuring the security and privacy of web applications. A key characteristic of this research is to treat web applications as black boxes, i.e., learning authorizations by interacting with and observing them as would regular end users. The black-box approach allows abstracting away internal complexities of web applications and focusing instead on what matters: learning what policies are enforced on users as they access application data. The research is carried out in three thrusts. First, a theoretical policy learning framework will be devised for efficiently probing the authorization space of applications as black boxes and constructing formal specifications of their policies. Second, a methodology and associated techniques for learning representation of data objects, relationships, and operations from black-box web applications will be developed in order to realize practical deployment of the theoretical framework in the web domain. Third, the project will develop techniques for analysis and integration of the learned authorization policies to improve the security and privacy of web applications. This paradigm will be transformative for web security/privacy research and practice by providing researchers, developers, and analysts an automated approach to learn the specifications of authorization policies. In addition to enabling them to understand the authorization behavior of web applications, it will revitalize research in formal policy testing and verification techniques that rely on concrete policy specifications. Furthermore, the general framework will be applicable beyond web applications to other domains such as mobile app ecosystems.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
Web应用程序已经成为访问服务和功能的事实上的方式。确保Web应用程序的不同用户只被允许访问他们应该访问的内容是至关重要的,即,实施正确授权。但是,不幸的是,访问控制和授权被破坏一直被列为最重要的Web应用程序漏洞之一。事实上,由于代码复杂性和快节奏开发等挑战,许多Web应用程序无法提供其强制授权策略的准确规范。无论是最终用户还是应用程序的开发人员,都无法在这种环境中进行数据保护。为了解决这个问题,本研究项目设计了一个新的框架,用于从Web应用程序中学习细粒度的授权策略,而不依赖于访问其源代码或了解其他内部复杂性。该项目开发了一个综合的研究和教育计划,以培训安全/隐私,机器学习和Web技术交叉的下一代网络安全劳动力。由于基于Web的系统在我们的社会中无处不在,因此开发的框架和相关解决方案将大大有助于系统安全和用户隐私。此外,由于其黑盒设计,所开发的技术将是应用程序采用者在其开发环境之外调查应用程序的数据授权实践的关键资产(例如,部署外包应用程序的公司)和为终端用户的利益而行动的第三方(例如,安全/隐私研究人员和监管机构调查遵守隐私法和期望)。该项目吸引了来自安全和隐私研究中代表性不足的群体的多样化学生,并通过外展活动向广大社区展示安全和隐私主题。该研究项目开发了一种用于自动学习Web应用程序授权策略的新范式,显著提高了Web应用程序的安全性和隐私性。这项研究的一个关键特征是将Web应用程序视为黑匣子,即,通过与普通最终用户进行交互并观察他们来学习授权。黑盒方法允许抽象出Web应用程序的内部复杂性,并将重点放在重要的事情上:了解在用户访问应用程序数据时对他们实施的策略。本研究分三个方面进行。首先,一个理论的策略学习框架将被设计为有效地探测黑盒的应用程序的授权空间,并构建其政策的正式规范。其次,将开发用于从黑盒Web应用程序学习数据对象、关系和操作的表示的方法和相关技术,以实现理论框架在Web领域的实际部署。第三,该项目将开发用于分析和整合所学习的授权策略的技术,以提高Web应用程序的安全性和隐私性。这种范式将通过为研究人员、开发人员和分析人员提供一种自动化的方法来学习授权策略的规范,从而为Web安全/隐私研究和实践带来变革。除了使他们能够了解Web应用程序的授权行为外,它还将重振依赖于具体策略规范的正式策略测试和验证技术的研究。此外,总体框架将适用于Web应用程序以外的其他领域,如移动的应用程序生态系统。该奖项反映了NSF的法定使命,并通过使用基金会的知识价值和更广泛的影响审查标准进行评估,被认为值得支持。
项目成果
期刊论文数量(3)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)
Towards Automated Learning of Access Control Policies Enforced by Web Applications
实现 Web 应用程序执行的访问控制策略的自动学习
- DOI:10.1145/3589608.3594743
- 发表时间:2023
- 期刊:
- 影响因子:0
- 作者:Iyer, Padmavathi;Masoumzadeh, Amir
- 通讯作者:Masoumzadeh, Amir
Effective Evaluation of Relationship-Based Access Control Policy Mining
基于关系的访问控制策略挖掘的有效评估
- DOI:10.1145/3532105.3535022
- 发表时间:2022
- 期刊:
- 影响因子:0
- 作者:Iyer, Padmavathi;Masoumzadeh, Amirreza
- 通讯作者:Masoumzadeh, Amirreza
Learning Relationship-Based Access Control Policies from Black-Box Systems
- DOI:10.1145/3517121
- 发表时间:2022-08-01
- 期刊:
- 影响因子:2.3
- 作者:Iyer,Padmavathi;Masoumzadeh,Amirreza
- 通讯作者:Masoumzadeh,Amirreza
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
数据更新时间:{{ journalArticles.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ monograph.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ sciAawards.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ conferencePapers.updateTime }}
{{ item.title }}
- 作者:
{{ item.author }}
数据更新时间:{{ patent.updateTime }}
Amirreza Masoumzadeh其他文献
Amirreza Masoumzadeh的其他文献
{{
item.title }}
{{ item.translation_title }}
- DOI:
{{ item.doi }} - 发表时间:
{{ item.publish_year }} - 期刊:
- 影响因子:{{ item.factor }}
- 作者:
{{ item.authors }} - 通讯作者:
{{ item.author }}
{{ truncateString('Amirreza Masoumzadeh', 18)}}的其他基金
Travel: NSF Student Travel Grant for 5th IEEE International Conference on Trust, Privacy, and Security in Intelligent Systems and Applications (IEEE TPS 2023)
旅行:第五届 IEEE 智能系统和应用中信任、隐私和安全国际会议 (IEEE TPS 2023) 的 NSF 学生旅行补助金
- 批准号:
2333916 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant
NSF Student Travel Grant for 2019 IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (IEEE TPS)
NSF 学生旅费资助 2019 年 IEEE 国际智能系统和应用信任、隐私和安全会议 (IEEE TPS)
- 批准号:
2002916 - 财政年份:2019
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant
相似国自然基金
空间分数阶 Black-Scholes 方程的波动率反演
问题
- 批准号:Q24A010012
- 批准年份:2024
- 资助金额:0.0 万元
- 项目类别:省市级项目
Black-Scholes期权定价模型的时间自适应算法与分析
- 批准号:12271142
- 批准年份:2022
- 资助金额:45 万元
- 项目类别:面上项目
新老岛弧斑岩铜(金)矿中间岩浆房过程对比研究:以菲律宾 Black Mountain和我国多宝山为例
- 批准号:41672090
- 批准年份:2016
- 资助金额:77.0 万元
- 项目类别:面上项目
非线性Black-Scholes方程有限差分并行计算的新方法研究
- 批准号:11371135
- 批准年份:2013
- 资助金额:55.0 万元
- 项目类别:面上项目
非Black-Scholes 模型环境下的未定权益的定价和套期保值研究
- 批准号:70771006
- 批准年份:2007
- 资助金额:19.0 万元
- 项目类别:面上项目
黄、东海沉积物中碳黑(Black Carbon)的地球化学研究
- 批准号:40576039
- 批准年份:2005
- 资助金额:40.0 万元
- 项目类别:面上项目
相似海外基金
Collaborative Research: Opening the black box of oxygen deficient zone biogeochemistry through integrative tracers
合作研究:通过综合示踪剂打开缺氧区生物地球化学黑匣子
- 批准号:
2342987 - 财政年份:2024
- 资助金额:
$ 57.47万 - 项目类别:
Continuing Grant
Collaborative Research: Opening the black box of oxygen deficient zone biogeochemistry through integrative tracers
合作研究:通过综合示踪剂打开缺氧区生物地球化学黑匣子
- 批准号:
2342986 - 财政年份:2024
- 资助金额:
$ 57.47万 - 项目类别:
Continuing Grant
CAREER: Complex Causal Moderated Mediation Analysis in Multisite Randomized Trials: Uncovering the Black Box Underlying the Impact of Educational Interventions on Math Performance
职业:多地点随机试验中的复杂因果调节中介分析:揭示教育干预对数学成绩影响的黑匣子
- 批准号:
2337612 - 财政年份:2024
- 资助金额:
$ 57.47万 - 项目类别:
Continuing Grant
Collaborative Research: Opening the black box of oxygen deficient zone biogeochemistry through integrative tracers
合作研究:通过综合示踪剂打开缺氧区生物地球化学黑匣子
- 批准号:
2342988 - 财政年份:2024
- 资助金额:
$ 57.47万 - 项目类别:
Continuing Grant
ベイズ推定を用いた確率モデルに基づくBlack-Box最適化法の転移的初期化法の開発
开发基于使用贝叶斯估计的随机模型的黑盒优化方法的可转移初始化方法
- 批准号:
24K20857 - 财政年份:2024
- 资助金额:
$ 57.47万 - 项目类别:
Grant-in-Aid for Early-Career Scientists
Collaborative Research: NeTS: Medium: Black-box Optimization of White-box Networks: Online Learning for Autonomous Resource Management in NextG Wireless Networks
合作研究:NeTS:中:白盒网络的黑盒优化:下一代无线网络中自主资源管理的在线学习
- 批准号:
2312835 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant
WTG: Beyond the black box: understanding the use of algorithmic risk assessments in the juvenile justice system
WTG:超越黑匣子:了解算法风险评估在少年司法系统中的使用
- 批准号:
2244705 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant
CRII: CIF: Sequential Decision-Making Algorithms for Efficient Subset Selection in Multi-Armed Bandits and Optimization of Black-Box Functions
CRII:CIF:多臂老虎机中高效子集选择和黑盒函数优化的顺序决策算法
- 批准号:
2246187 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant
CAREER: Cryptographic Proofs, Outside the Black-Box
职业:黑匣子之外的密码学证明
- 批准号:
2238718 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Continuing Grant
Collaborative Research: NeTS: Medium: Black-box Optimization of White-box Networks: Online Learning for Autonomous Resource Management in NextG Wireless Networks
合作研究:NeTS:中:白盒网络的黑盒优化:下一代无线网络中自主资源管理的在线学习
- 批准号:
2312836 - 财政年份:2023
- 资助金额:
$ 57.47万 - 项目类别:
Standard Grant