The World Wide Web is a critical infrastructure that serves our society by facilitating information exchange, business and education. As it continues to evolve, the number of web-based attacks that target innocent web users keeps increasing. Examples of such attacks include Cross-site Scripting, SQL Injection and Cross-site Request Forgery. Recent attacks on end-users and online enterprises through these virulent attacks have resulted in widespread damage. Defending these attacks is therefore of very important concern to Internet economy and to society-at-large. This project develops a comprehensive plan for defending web applications from these attacks. The technical contributions of this project are in the development of the technologies that elicit the intended behavior of a web application and prevent attacks by enforcing these intended behaviors. We build a framework in which the intentions of a web application are represented using models, which are then enforced to ensure robust prevention of attacks. This framework uses novel techniques based on static and dynamic analysis, symbolic evaluation, runtime checking and isolated execution as foundations. This project also develops techniques that enable a web application and a browser to collaborate in order to prevent attacks, and apply fine-grained restrictions on Web content. The tools being developed in this project will have immediate impact on defending legacy web applications that are vulnerable to these attacks. The CAREER research project is closely tied with educational efforts by integrating topics on web security in the undergraduate and graduate computer security classrooms. Finally, a collaborative effort with a Chicago inner-city elementary school is also part of this project's educational mission.
CAREER: A Framework for Preventing Web-based Attacks