Security is an ever present and growing problem in the web and mobile
app domain. Norton reports that the number of
reported mobile app vulnerabilities doubled from 2010 to
2011 and that one in eight legitimate web sites have
at least one critical vulnerability. The
impact of security vulnerabilities has also been amplified since users
put increasingly more personal and sensitive information, such as
banking, social networks, and photos, onto their mobile devices.
Tools that our group has developed, such as PUMA, SIF, and Violist, allow us to explore, monitor, and predict the runtime behavior of mobile apps. We are currently working on projects to apply these techniques to mobile apps with the goal of improving their security.
Our prior work in security focused on web applications. In particular, techniques for preventing SQL Injection attacks. Readers interested in a survey of SQL Injection Attack techniques may find our ISSSE 2006 paper useful. The AMNESIA technique is described in depth on its own page, as is the SQL Injection Testbed.
[8] | Penetration Testing with Improved Input Vector Identification. William G. J. Halfond, Shauvik Roy Choudhary and Alessandro Orso. In Proceedings of the International Conference on Software Testing, Verification, and Validation. Apr. 2009. Best Presentation Award. |
[7] | WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. William G. J. Halfond, Alessandro Orso and Panagiotis Manolios. In Transactions on Software Engineering. Volume 34 2008. |
[6] | Malware Detection. William G.J. Halfond and Alessandro Orso. Chapter in Detection and Prevention of SQL Injection Attacks (C. Wang, S. Jha, D. Song, D. Maughan, ed.). Springer 2007. |
[5] | Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. William G. J. Halfond, Alessandro Orso and Panagiotis Manolios. In Proceedings of the Symposium on the Foundations of Software Engineering (FSE 2006). November 2006. |
[4] | Preventing SQL Injection Attacks Using AMNESIA. William G.J. Halfond and Alessandro Orso. In Proceedings of the International Conference on Software Engineering – Formal Demo. May 2006. |
[3] | A Classification of SQL-Injection Attacks and Countermeasures. William G.J. Halfond, Jeremy Viegas and Alessandro Orso. In Proceedings of the International Symposium on Secure Software Engineering. March 2006. |
[2] | AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. William G.J. Halfond and Alessandro Orso. In Proceedings of the International Conference on Automated Software Engineering. November 2005. ASE 2020 Most Influential Paper Award. |
[1] | Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. William G.J. Halfond and Alessandro Orso. In Proceedings of the International Workshop on Dynamic Analysis (WODA). May 2005. |