Talk Audience: UTCS Faculty and Graduate Students

Host:  Vitaly Shmatikov

Talk Abstract: Web applications rely heavily on client-side computation to examine and validate form inputs that are supplied by a user (e.g., “credit card expiration date must be valid”). This is typically done for two reasons: to reduce burden on the server and to avoid latencies in communicating with the server. However, when a server fails to replicate the validation performed on the client, it is potentially vulnerable to attack. In the first part of this talk, we present an approach for identifying  vulnerabilities of this kind   in web sites and in  open source web applications through program analysis. Our approach has been  employed to discover several previously unknown vulnerabilities in a number of open-source web applications  and live web sites. The second part of this talk presents an approach to detect  these attacks in an existing (legacy) web applications in an server-agnostic fashion. Finally, we discuss a principled approach to prevent these flaws  in the context of the Rails web application framework using automated code synthesis.

Speaker Bio: V.N. (Venkat) Venkatakrishnan's (http://www.cs.uic.edu/~venkat) broad research interests are in computer security and privacy.  He is particularly interested in the  the security of software systems, in vulnerability analysis and automated approaches to preventing large scale attacks on computer systems.  His research work derives from  techniques rooted in programming languages and compilers, operating systems, software engineering and formal methods to address practical problems in computer security.  He received  his Ph.D. and M.S. degrees in computer science from Stony Brook University in 2004 and M.Sc and B.E. degrees from Birla Institute of Technology and Science (BITS), Pilani, India, in 1997. He is currently Associate Professor of Computer Science at the University of Illinois at Chicago (UIC), and directs UIC's Center for Research and Instruction in Technologies in Electronic Security (RITES).   He is recipient of the National Science Foundation CAREER award in 2009, several best paper awards and multiple UIC campus level awards for research as well as his teaching. His research is supported by the National Science Foundation, U.S. Department of Homeland Security, Defense Advanced Research Projects Agency and the Air Force Office of Scientific Research.  He is the Lead Principal Investigator and Director of a new PhD program on Electronic Security and Privacy (http://securityigert.uic.edu) that is funded by  $3.2M NSF IGERT grant.