A significant number of attacks on Web browsers and Web applications are successful through the use of malicious inputs. For instance, attacks on web browser extensions target browsers by exploiting vulnerable extensions (add-ons) by supplying malicious input. Malicious inputs exercise unintended behaviors leading to attacks that compromise confidentiality, integrity and availability of web-based systems. This project systematically examines the role that user inputs play in web browsers and applications, and develops techniques to prevent these attacks by confining their influence. The challenge is to develop sound and precise automated analysis mechanisms for web based platforms such as JavaScript. Research from the areas of static and dynamic analysis, information flow tracking and learning program behaviors will be used to develop robust, efficient and highly precise techniques.
Papers from the project will be distributed in popular online resources for Web security for the widest possible dissemination and further enhancement. Furthermore, the PIs will transition results from this research to Web development and standards communities. The results of this project will be integrated into the new and existing courses in the undergraduate and graduate curricula at the University of Illinois campuses at Chicago and Urbana Champaign. These courses will train a growing workforce of software engineers who will be more security-aware and apply these principles for laying a platform for a more secure Web. This project will also directly contribute to the research training of three Ph.D. students supervised by the PIs. This project will also support the involvement of the PIs in outreach activities aimed at K-12 teacher training and minority groups, and contributions by designing programs that create awareness and interest in computer science.
