Visible to the public TWC: Small: Automated Security Testing for Applications Integrating Third-Party ServicesConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2014 - Aug 31, 2018

Institution(s)

University of Virginia

Award Number


Modern web and mobile applications increasingly rely on code and services from multiple parties, including services that provide security-critical functions like authentication, payments, and sharing. Developers often make mistakes in integrating these services into their applications that lead to serious security vulnerabilities. These integration failures are mainly due to failures to understand and ensure assumptions necessary for secure use of the external service. This project is developing a systematic explication process to uncover security-critical assumptions necessary for secure use of an external service, along with tools for automatically testing applications for vulnerabilities in integrating services.

The project is creating a partially automated method that combines static and dynamic analysis techniques for building models of external services that are not available for direct analysis, and for using those models as part of an explicating process that explores the space of all reasonable applications that can be constructed using a service under threat from an unconstrained adversary. The uncovered vulnerabilities lead to automated testing tools for checking applications for vulnerabilities uncovered. Since these vulnerabilities concern sequences of interactions involving authenticated users, they cannot be detected by superficial analysis but require deep testing where a scanner can simulate the actions of a logged-in user. The scanner takes advantage of single sign-on services that are becoming increasingly popular to automate account registration and logins to enable deep, automated scanning of deployed applications. Expected results of the project include open source tools and web services that will enable large-scale deep scans of deployed applications, and that will provide developers with a convenient and easy to use tool to test their implementations for common vulnerabilities.