PhD Defense: Toward Automated Detection of Logic Vulnerabilities in Web Application

Friday, September 24, 2010 - 4:13pm

PhD Defense
Vika Felmetsger
Monday, September 27th, 2010
12:30 – CS Conference Room

Committee: Giovanni Vigna (chair), Tevfik Bultan, Richard Kemmerer, Christopher Kruegel

Title: Toward Automated Detection of Logic Vulnerabilities in Web Application

In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. So far, the research community mainly focused on tackling vulnerabilities that result from insecure information flow in web applications, such as cross-site scripting and SQL injection. While relative success was reached in finding suitable techniques and approaches for dealing with this type of vulnerability, little research has been done on detecting vulnerabilities that result from flawed application logic. The vulnerabilities in this category are often application-specific and include such flaws as missing authentication or authorization checks and incorrectly enforced workflow constraints.

In this talk, I will discuss the characteristics of application logic vulnerabilities in the context of web applications and show why this type of vulnerability is very hard to detect using automated analysis. I will also present research that I have done on automated detection of this class of security flaws in web applications.

Everyone Welcome!