A joint project of the Graduate School, Peabody College, and the Jean & Alexander Heard Library

Title page for ETD etd-05302013-125736


Type of Document Dissertation
Author Li, Xiaowei
URN etd-05302013-125736
Title Detection and prevention of logic attacks against web applications through black-box analysis
Degree PhD
Department Computer Science
Advisory Committee
Advisor Name Title
Yuan Xue Committee Chair
Bradley Malin Committee Member
Douglas C. Schmidt Committee Member
Gautam Biswas Committee Member
Janos Sztipanovits Committee Member
Keywords
  • Access Control
  • Database Access
  • Black-box Analysis
  • Logic Attack
  • Web Application Security
  • Logic Vulnerability
Date of Defense 2013-05-15
Availability unrestricted
Abstract
The three-tier web architecture is becoming the de-facto solution for delivering information and business services over the Internet. The center of this architecture is a web application, which implements the business logic, accesses the information stored at the back-end database and interacts with the users through the front-end web server. As web applications get increasingly complex to support sophisticated business functionalities, an emerging class of vulnerabilities, which are referred to as logic vulnerabilities (a.k.a, logic flaws), have attracted increasing attention in recent years. The attacks that target on these vulnerabilities, which are referred to as logic attacks or state violation attacks, have posed serious security threats. To date, very few works have been devoted to the study of the logic vulnerabilities and effective measures to mitigate logic attacks are yet to be developed. Most existing works only target on one specific type of logic vulnerability, and are limited by the availability of application source code and the applicability to specific development languages and platforms. The major challenges come from the fact that application logic flaws and attacks are specific to the functionality of a particular web application and its implementation usually comes without an explicit logic specification.

In this dissertation, we aim to address logic attacks against web applications in an automated, general and black-box way (i.e., without requiring the application source code). We present several techniques for automatically deriving the application logic specification by observing and extracting patterns from the interactions between the application and users, as well as the database. Then, we leverage the inferred logic specification for both runtime detection of logic attacks (i.e., defensive approach) and discovery of logic vulnerabilities within web applications (i.e., preventive approach). The defensive approach can be utilized to protect potentially vulnerable web applications that cannot be taken offline for vulnerability analysis, while the preventive approach can help the developers to identify and fix logic flaws within the application implementations so that they are immune to logic attacks. We implemented two prototype systems -- BLOCK and SENTINAL, based on our defensive techniques and three prototypes systems -- LogicScope, EXPELLER, BATMAN, based on our preventive techniques. These prototype systems have different features and focuses. We evaluate them over a set of real world open-source web applications. The experiment results demonstrate the effectiveness of our techniques and prototype systems.

Files
  Filename       Size       Approximate Download Time (Hours:Minutes:Seconds) 
 
 28.8 Modem   56K Modem   ISDN (64 Kb)   ISDN (128 Kb)   Higher-speed Access 
  LiXiaowei.pdf 2.21 Mb 00:10:12 00:05:15 00:04:35 00:02:17 00:00:11

Browse All Available ETDs by ( Author | Department )

If you have more questions or technical problems, please Contact LITS.