Security is an ever present and growing problem in the web and mobile
app domain. Norton reports that the number of
reported mobile app vulnerabilities doubled from 2010 to
2011 and that one in eight legitimate web sites have
at least one critical vulnerability. The
impact of security vulnerabilities has also been amplified since users
put increasingly more personal and sensitive information, such as
banking, social networks, and photos, onto their mobile devices.
Tools that our group has developed, such as PUMA, SIF, and Violist, allow us to explore, monitor, and predict the runtime behavior of mobile apps. We are currently working on projects to apply these techniques to mobile apps with the goal of improving their security.
Our prior work in security focused on web applications. In particular, techniques for preventing SQL Injection attacks. Readers interested in a survey of SQL Injection Attack techniques may find our ISSSE 2006 paper useful. The AMNESIA technique is described in depth on its own page, as is the SQL Injection Testbed.
||Improving penetration testing through static and dynamic analysis. In Software Testing, Verification and Reliability. John Wiley & Sons, Ltd.
Volume 21 2011. ()
||Penetration Testing with Improved Input Vector Identification. In Proceedings of the International Conference on Software Testing, Verification, and Validation.
Apr. 2009. Best Presentation Award.
||WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. In Transactions on Software Engineering.
Volume 34 2008. ()
||Malware Detection. Chapter in Detection and Prevention of SQL Injection Attacks (S. Jha D. Song D. Maughan C. Wang, ed.). Springer
||Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In Proceedings of the Symposium on the Foundations of Software Engineering (FSE 2006).
||Preventing SQL Injection Attacks Using AMNESIA. In Proceedings of the International Conference on Software Engineering -- Formal Demo.
||A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the International Symposium on Secure Software Engineering.
||AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the International Conference on Automated Software Engineering.
||Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the International Workshop on Dynamic Analysis (WODA).