You are here

Title: Automatic detection and repair of XSS and SQLI vulnerabilities

Speaker: Dr. Muath Alkhalaf, Assistant Professor in the Computer Science Department, CCIS, KSU


Abstract: A crucial problem in developing dependable web applications is establishing the correctness of input validation and sanitization code. Bugs in string manipulation operations used for validation and sanitization are common, resulting in erroneous application behavior and vulnerabilities such as Cross Site Scripting (XSS) and SQL Injection (SQLI).  In this talk, we present techniques for automated detection and repair of validation and sanitization bugs at the server-side (PHP) code. The verification process we developed consists of three stages. In the first stage we extract the input validation and sanitization code (written in PHP) into sanitizer functions in our intermediate language for input validation and sanitization. In the second stage,  we use automata-based symbolic string analysis to compute 1) all possible output strings generated by a sanitizer function, 2) all possible input strings to a sanitizer function that result in a given set of output strings, and 3) all possible input strings rejected by a sanitizer function. In the third stage, we verify the behavior of sanitizer functions against a given security policy. If we detect that a sanitizer function violates a policy, we automatically generate patches that remove the policy violation.

We experimented with a number of real world web applications and found many bugs and vulnerabilities. Our analysis generates counter-example behaviors demonstrating the detected bugs and vulnerabilities to help the developers with the debugging process.  Moreover, we automatically generate patches that can be used to mitigate the detected bugs and vulnerabilities until developers write their own patches.

Bio: Dr. Muath Alkhalaf is an assistant professor at computer science dept. at King Saud University. He got his Masters and PhD from University of California Santa Barbara with a distinguished dissertation award. His work is on using symbolic model checking for infinite state string systems and he applied his techniques and tools to the problem of automatic detection and repair of security vulnerabilities in web applications. He published his work in a number of leading conferences and journals such as ICSE, ISSTA, ASE, TACAS, FMSD and IEEE COMPUTER. His dissertation won the 2015 ACM SIGSOFT Outstanding Dissertation Award.


Date/Time: Tuesday, August 25, 2015 at 12:30pm

Location: Maria Auditorium, F50 in Building 6  - Broadcast from Studio 1 (Room 2084) in CCIS Building 31.

[Back to the Events page]