Technical advancements in modern smartphones and the widespread availability of Internet on-the-go have resulted in the world wide web becoming an inextricable part of everyday lives, pervading professional, social and personal activities. At the core of all this lies the ability to identify (i.e., authenticate) users and devices and allowing (i.e., authorizing) them to access accounts and sensitive resources. Flaws in existing authentication and authorization mechanisms allow cybercriminals as well as nation-state adversaries to gain illegal access, which can critically affect citizens, corporations, and government organizations alike. This project aims to better secure the world wide web through the analysis of prevalent and emerging authentication systems. The subsequent design of robust mechanisms that prevent illicit access from malicious entities will secure popular and critical web applications against current and unforeseen threats. The underlying research necessitates the development of novel techniques for analyzing web applications, and the proactive demonstration of novel attacks for guiding a data-driven design of more effective authentication mechanisms. The main research problems that the project seeks to study will form the basis for the training of both undergraduate and graduate students. The investigator is committed to working with minorities and underrepresented groups.
The complexity of modern web applications and the intricacies of security mechanisms often result in flaws that expose users to significant security and privacy threats. This is exacerbated by the continuous evolution of the web ecosystem and new authentication and authorization mechanisms being deployed without prior analysis by the security community. This project aims to explore existing and emerging authentication and authorization systems and practices in the modern web ecosystem, and develop modular application-agnostic and protocol-independent techniques and frameworks that advance current capabilities for auditing modern web applications along these dimensions. This includes the development of multiple components that employ differential testing techniques, each designed to explore a different dimension of authentication and authorization by leveraging a unique attack vector, thus, enabling the automated black-box detection of flaws at an Internet-wide scale. These techniques and systems provide a holistic evaluation and treatment of the current web authentication landscape, enable the forecasting and prevention of future threats, and can facilitate research across multiple disciplines.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.