CS 595C
Analysis and Verification Techniques for Improving Dependability of Web Software
Fall 2011
Description:
Web software development is an error prone process due to the distributed
nature of web applications. As a consequence web applications are notorious
for security vulnerabilities and unreliable behavior. In this seminar
we will discuss recently proposed automated analysis and verification
techniques for improving the dependability of web software.
Instructor:
Tevfik Bultan
Meeting time:
3:00pm, Wednesday
Location: HFH 1132
Enrollment Code: 73536
Units: This will be a 2 unit seminar
Paper Reviews
Each week, each student is required to write a review of the paper that will
be presented and submit the review to the instructors before the class.
Here is a paper review template.
In each review you are asked to 1) summarize the results presented in
the paper, 2) identify the novelty of the proposed approach, 3) discuss
any flaws that you see in the proposed approach and, 4) ask at least two
questions about the paper.
Presentations
- Week 1 (September 30): Jaideep Nijjar will present paper 1
- Week 2 (October 5): Muath Alkhalaf will present paper 2
- Week 3 (October 12): NO PRESENTATION
- Week 4 (October 19): Abdulbaki Aydin will present paper 13
- Week 5 (October 26): Adam Doupe will present paper 8
- Week 6 (November 2): Ivan Bocic will present paper 10
- Week 7 (November 9): Victor Amelkin will present paper 3
- Week 8 (November 16): Saeed Mahani will present paper 4 (this meeting will be at PHELP 1401)
- Week 9 (November 23): NO PRESENTATION
- Week 10 (November 30): Devdeep Roy Choudhury will present paper 7
(this meeting will be at 10:00AM)
Papers
- (Jaideep Nijjar will present) Jaideep Nijjar and
Tevfik Bultan.
"Bounded Verification of Ruby on Rails Data Models."
To appear in the
Proceedings of the 2011 International Symposium on
Software Testing and Analysis
(ISSTA 2011).
- (Muath Alkhalaf will present) Fang Yu,
Muath Alkhalaf and
Tevfik Bultan.
"Patching Vulnerabilities with Sanitization Synthesis."
To appear in the
Proceedings of the 33rd International Conference on
Software Engineering (ICSE 2011).
- (Victor Amelkin will present) Takaaki Tateishi, Marco Pistoia, Omer Tripp: Path- and index-sensitive
string analysis based on monadic second-order logic. ISSTA 2011: 166-176
- (Saeed Mahani will present) Salvatore Guarnieri, Marco Pistoia, Omer Tripp, Julian Dolby,
Stephen Teilhet, Ryan Berg: Saving the world wide web from vulnerable
JavaScript. ISSTA 2011: 177-187
- Matthew J. McGill, Laura K. Dillon, R. E. Kurt Stirewalt: Scalable
analysis of conceptual data models. ISSTA 2011: 56-66
- Y. Smaragdakis, C. Csallner, and R. Subramanian. Scalable
satisfiability checking and test data generation from
modeling diagrams. Automated Softw. Eng., 16:73–99, 2009.
-
(Devdeep Roy Choudhury will present)
Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Moller, Frank Tip:
A framework for automated testing of javascript web applications. ICSE
2011: 571-580
- (Adam Doupe will present) Avik Chaudhuri, Jeffrey S. Foster:
Symbolic security analysis of ruby-on-rails web applications. ACM Conference
on Computer and Communications Security 2010: 585-594
- Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz,
V. N. Venkatakrishnan: NoTamper: automatic blackbox detection of parameter
tampering opportunities in web applications. ACM Conference on Computer
and Communications Security 2010: 607-618
- (Ivan Bocic will present) Uri Klein, Kedar S. Namjoshi: Formalization and Automated Verification
of RESTful Behavior. CAV 2011: 541-556
- Gregor Richards, Sylvain Lebresne, Brian Burg, Jan Vitek: An analysis
of the dynamic behavior of JavaScript programs. PLDI 2010: 1-12
- Using Static Analysis for Ajax Intrusion Detection
Arjun Guha, Shriram Krishnamurthi, Trevor Jim
International World Wide Web Conference, 2009
- (Abdulbaki Aydin will present) Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen
McCamant, Dawn Song: A Symbolic Execution Framework for JavaScript. IEEE
Symposium on Security and Privacy 2010: 513-528
- Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song: FLAX:
Systematic Discovery of Client-side Validation Vulnerabilities in Rich
Web Applications. NDSS 2010
- Prithvi Bisht, Tim Hinrichs, Nazari Skrupsky and V.N.
Venkatakrishnan: WAPTEC: Whitebox Analysis of Web Applications for
Parameter Tampering Exploit Construction. To appear 18th ACM
Conference on Computer and Communications Security (CCS'2011)
- Sylvain Halle, Taylor Ettema, Chris Bunch and Tevfik Bultan.
"Eliminating Navigation Errors in Web Applications via Model Checking
and Runtime Enforcement of Navigation State Machines."
To appear in the Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE 2010), Antwerp, Belgium, 20-24 September 2010.
- Brian J. Corcoran, Nikhil Swamy, and Michael Hicks.
Cross-tier, Label-based Security Enforcement for Web Applications.
In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 269-282, June 2009.