Inferring Specifications in Web Applications for Vulnerability Analysis

Venkat Venkatakrishnan (University of Illinois at Chicago)



Abstract: Web applications are powerful engines that drive modern societies, as they play a pivotal role in e-commerce, social networking and finance.  Security of web applications is therefore an important concern. Past research on web applications has focused on automatically detecting vulnerabilities such as SQL injection and Cross-site scripting. However, until recently vulnerabilities specific to the logic of a web application  have been identified manually. This is because detecting these logic vulnerabilities requires specification of the application logic, whether it is related to authorization or input validation. In this talk, we will discuss techniques that automatically elicit specifications from web applications and use them for vulnerability detection. We will discuss tools that have identified several unknown vulnerabilities in existing web applications.


Bio: Venkat Venkatakrishnan's (http://www.cs.uic.edu/~venkat) broad research interests are in computer security and privacy.  He is particularly interested in the  the security of software systems, in vulnerability analysis and automated approaches to preventing large scale attacks on computer systems.  His research work derives from  techniques rooted in programming languages and compilers, operating systems, software engineering and formal methods to address practical problems in computer security.  He received  his Ph.D. and M.S. degrees in computer science from Stony Brook University in 2004 and M.Sc and B.E. degrees from Birla Institute of Technology and Science (BITS), Pilani, India, in 1997. He is currently Associate Professor of Computer Science at the University of Illinois at Chicago (UIC).   He is recipient of the National Science Foundation CAREER award in 2009, several best paper awards including the 2010 NYU-Poly AT&T Best Applied Cybersecurity Paper Award   and multiple UIC campus level awards for research as well as his teaching.