• About
    • Login
    View Item 
    •   Institutional Repository Home
    • Electronic Theses and Dissertations
    • Electronic Theses and Dissertations
    • View Item
    •   Institutional Repository Home
    • Electronic Theses and Dissertations
    • Electronic Theses and Dissertations
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Browse

    All of Institutional RepositoryCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsDepartmentThis CollectionBy Issue DateAuthorsTitlesSubjectsDepartment

    My Account

    LoginRegister

    Detection and prevention of logic attacks against web applications through black-box analysis

    Li, Xiaowei
    : https://etd.library.vanderbilt.edu/etd-05302013-125736
    http://hdl.handle.net/1803/12428
    : 2013-06-10

    Abstract

    The three-tier web architecture is becoming the de-facto solution for delivering information and business services over the Internet. The center of this architecture is a web application, which implements the business logic, accesses the information stored at the back-end database and interacts with the users through the front-end web server. As web applications get increasingly complex to support sophisticated business functionalities, an emerging class of vulnerabilities, which are referred to as logic vulnerabilities (a.k.a, logic flaws), have attracted increasing attention in recent years. The attacks that target on these vulnerabilities, which are referred to as logic attacks or state violation attacks, have posed serious security threats. To date, very few works have been devoted to the study of the logic vulnerabilities and effective measures to mitigate logic attacks are yet to be developed. Most existing works only target on one specific type of logic vulnerability, and are limited by the availability of application source code and the applicability to specific development languages and platforms. The major challenges come from the fact that application logic flaws and attacks are specific to the functionality of a particular web application and its implementation usually comes without an explicit logic specification. In this dissertation, we aim to address logic attacks against web applications in an automated, general and black-box way (i.e., without requiring the application source code). We present several techniques for automatically deriving the application logic specification by observing and extracting patterns from the interactions between the application and users, as well as the database. Then, we leverage the inferred logic specification for both runtime detection of logic attacks (i.e., defensive approach) and discovery of logic vulnerabilities within web applications (i.e., preventive approach). The defensive approach can be utilized to protect potentially vulnerable web applications that cannot be taken offline for vulnerability analysis, while the preventive approach can help the developers to identify and fix logic flaws within the application implementations so that they are immune to logic attacks. We implemented two prototype systems -- BLOCK and SENTINAL, based on our defensive techniques and three prototypes systems -- LogicScope, EXPELLER, BATMAN, based on our preventive techniques. These prototype systems have different features and focuses. We evaluate them over a set of real world open-source web applications. The experiment results demonstrate the effectiveness of our techniques and prototype systems.
    Show full item record

    Files in this item

    Icon
    Name:
    LiXiaowei.pdf
    Size:
    1.519Mb
    Format:
    PDF
    View/Open

    This item appears in the following collection(s):

    • Electronic Theses and Dissertations

    Connect with Vanderbilt Libraries

    Your Vanderbilt

    • Alumni
    • Current Students
    • Faculty & Staff
    • International Students
    • Media
    • Parents & Family
    • Prospective Students
    • Researchers
    • Sports Fans
    • Visitors & Neighbors

    Support the Jean and Alexander Heard Libraries

    Support the Library...Give Now

    Gifts to the Libraries support the learning and research needs of the entire Vanderbilt community. Learn more about giving to the Libraries.

    Become a Friend of the Libraries

    Quick Links

    • Hours
    • About
    • Employment
    • Staff Directory
    • Accessibility Services
    • Contact
    • Vanderbilt Home
    • Privacy Policy