Advanced Automated Web Application Vulnerability Analysis

Web applications are an integral part of our lives and culture. We useweb applications to manage our bank accounts, interact with friends,and file our taxes. A single vulnerability in one of these webapplications could allow a malicious hacker to steal your money, toimpersonate you on Facebook, or to access sensitive information, suchas tax returns. It is vital that we develop new approaches to discoverand fix these vulnerabilities before the cybercriminals exploit them.In this dissertation, I will present my research on securing the webagainst current threats and future threats. First, I will discuss mywork on improving black-box vulnerability scanners, which are toolsthat can automatically discover vulnerabilities in web applications.Then, I will describe a new type of web application vulnerability:Execution After Redirect, or EAR, and an approach to automaticallydetect EARs in web applications. Finally, I will present deDacota, afirst step in the direction of making web applications secure byconstruction

MuTent: Dynamic Android Intent Protection with Ownership-Based Key Distribution and Security Contracts

Intents are the plain-text based message object used for ICC by the Android framework. Hence the framework essentially lacks an inbuilt security mechanism to protect the visibility, accessibility, and integrity of Intent\u27s data that facilitates adversaries to intercept or manipulate the data. In this work, we investigate the Intent protection mechanism and propose a security-enhanced Intent library MuTent that allows Android apps to securely exchange sensitive data during ICC. Differently from the existing mechanism, MuTent provides accessibility and visibility of Intent data by validating the receiver\u27s capability and provides integrity by using encryption and the Arc security contract code. Especially, ICC is initiated by exchanging MuTent and follows a novel ownership-based key distribution model, that restricts the malware apps without permission from deciphering data. Through the evaluation, we show that MuTent can improve the security for popular Android apps with minimal performance overheads, demonstrated using F-Droid apps

Quantitative 3D analysis of complex single border cell behaviors in coordinated collective cell migration

Understanding the mechanisms of collective cell migration is crucial for cancer metastasis, wound healing and many developmental processes. Imaging a migrating cluster in vivo is feasible, but the quantification of individual cell behaviours remains challenging. We have developed an image analysis toolkit, CCMToolKit, to quantify the Drosophila border cell system. In addition to chaotic motion, previous studies reported that the migrating cells are able to migrate in a highly coordinated pattern. We quantify the rotating and running migration modes in 3D while also observing a range of intermediate behaviours. Running mode is driven by cluster external protrusions. Rotating mode is associated with cluster internal cell extensions that could not be easily characterized. Although the cluster moves slower while rotating, individual cells retain their mobility and are in fact slightly more active than in running mode. We also show that individual cells may exchange positions during migration

Challenges in cybersecurity: Lessons from biological defense systems

Defending against novel, repeated, or unpredictable attacks, while avoiding attacks on the 'self', are the central problems of both mammalian immune systems and computer systems. Both systems have been studied in great detail, but with little exchange of information across the different disciplines. Here, we present a conceptual framework for structured comparisons across the fields of biological immunity and cybersecurity, by framing the context of defense, considering different (combinations of) defensive strategies, and evaluating defensive performance. Throughout this paper, we pose open questions for further exploration. We hope to spark the interdisciplinary discovery of general principles of optimal defense, which can be understood and applied in biological immunity, cybersecurity, and other defensive realms

Advanced Automated Web Application Vulnerability Analysis

Web applications are an integral part of our lives and culture. We useweb applications to manage our bank accounts, interact with friends,and file our taxes. A single vulnerability in one of these webapplications could allow a malicious hacker to steal your money, toimpersonate you on Facebook, or to access sensitive information, suchas tax returns. It is vital that we develop new approaches to discoverand fix these vulnerabilities before the cybercriminals exploit them.In this dissertation, I will present my research on securing the webagainst current threats and future threats. First, I will discuss mywork on improving black-box vulnerability scanners, which are toolsthat can automatically discover vulnerabilities in web applications.Then, I will describe a new type of web application vulnerability:Execution After Redirect, or EAR, and an approach to automaticallydetect EARs in web applications. Finally, I will present deDacota, afirst step in the direction of making web applications secure byconstruction