Thursday, June 10th, 2010
2:30 – CS Conference Room
Committee: Giovanni Vigna (chair), Tevfik Bultan, Richard Kemmerer, Christopher Kruegel
Title: Taming the Malicious Web: Avoiding and Detecting Web-based Attacks
The world wide web has changed dramatically from its beginnings: it now contains significantly more content, is more dynamic, and enables a large variety of services for its users. Unfortunately, the web has also become a more dangerous place. In fact, web-based attacks are now a prevalent and serious threat. These attacks target both web applications, which store sensitive data (such as financial and personal records) and are trusted by large user bases, and web clients, which, after a compromise, can be mined for private data or used as drones of a botnet. The magnitude of these problems has prompted a number of efforts within the security community towards improving the security of the web. In particular, a number of techniques have been proposed to identify vulnerabilities in web applications before they are deployed, and to detect and analyze attacks against web applications and web browsers.
The current state-of-the-art, however, fails to address several interesting challenges. In particular, vulnerability analysis tools for web applications are often limited in the type of vulnerabilities that they can detect. Flaws that require multiple interactions with the applications in order to be exposed, such as stored SQL injections, and those that depend on application-specific security policies, such as authentication bypasses, are especially difficult to identify. Similarly, tools to detect attacks against web clients are difficult to configure, can be evaded, and offer limited explanatory power.
In this talk, we present the approaches and the techniques that we developed to ameliorate the security problems found on today’s web. In particular, on the web application side, the problem of detecting multi-step vulnerabilities is addressed through the use of static analysis techniques. Furthermore, a first step toward the detection of a class of attacks that violate application-specific policies is done by using anomaly detection and likely invariant learning techniques. On the client side, we discuss how we use a combination of emulation and anomaly detection techniques to identify malicious web pages that launch drive-by-download attacks against their visitors. Finally, we will also discuss several measurements that we performed in the context of phishing and botnets to better understand the modus operandi of the attackers and their tools and strategies.