Project Overview
Much of the functionalities in our daily lives are software controlled and hence protecting our software against security vulnerabilities is of extreme importance. A common source of vulnerabilities comes from the input to the software, which may not be checked within the application. These vulnerabilities take different forms and names such as cross-site scripting, SQL injection and so on. In particular cross-site scripting allows attackers to pass unchecked input in the form of problematic scripts which may then get executed on the site of a non-malicious user. SQL injection refers to unchecked program input being used to construct database queries (which may then be exploited by an attacker to reveal confidential information such as user passwords).
In this project, we propose to develop and employ information flow analysis methods for detecting impact of program inputs on (parts of) an application. The main purpose is to detect or explain potential software attacks – thereby enhancing software security. One of the innovative outputs of the project will be to use software analysis and symbolic execution methods for generating and explaining potential attack scenarios, without actually encountering the attacks.
Our infrastructure will be geared to find out and summarize the input dependent parts of an application. It may suggest mechanisms to the programmer for making their applications more robust by inserting more checks at the appropriate places in their program. More interestingly, our analysis infrastructure can potentially reveal attack scenarios prior to the deployment of an application. This will be done by tracking the input propagation within an application, finding the input-dependent parts and summarizing them to the programmer. Indeed, our entire project is geared towards solving a core problem in security, information flow analysis in software.
People
We are looking for one more Research Assistant, email Abhik if you are interested.
Faculty Members
- Abhik Roychoudhury (Principal Investigator)
- Liang Zhenkai (Co-Principal Investigator)
PhD Student
Research Assistant
Publications
- DARWIN: An Approach for Debugging Evolving Programs [PDF], Dawei Qi, Abhik Roychoudhury, Zhenkai Liang, Kapil Vaswani. ESEC and ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), ESEC-FSE, Amsterdam, the Netherlands, August 2009. (ACM SIGSOFT Distinguished paper award)
Funding
This project is funded by the Defence Science & Technology Agency (DSTA) Singapore for a period of three years (2009-2012). This support is gratefully acknowledged.