OWASP (Open Web Application Security Project) is an open, global organization working for the security of software applications, with a focus on web applications. At the top of the organization's list of risks on the internet is code injection, where an attacker injects untrusted data as part of a command or query. The hostile data can then trick the service to execute commands, or provide access to the data without proper authentication. Another common method of attack is Cross Site Scripting (XSS), when the attacker sends text-based scripts that exploit the browser. Almost any source of data can be attacked, including internal sources such as data from a database.
A problem with today's web is that it is based on "all or nothing". Code on a web page has the same rights regardless of where it comes from; from the web page itself, from a third party, such as advertising or statistics, or as the result of an attack", says Andrei Sabelfeld.
In the project Securing Practical Web Applications, Andrei Sabelfeld and his research group will, among other things, work to enable web developers to restrict a site's access to external resources, through mechanisms that will define security policies to verify that the code comes from an approved source. The collaboration with Google also implies that there will be opportunities for experiments with security policies for Google's web services and products, as well as opportunities for support in web browsers for the developed security policies.
In another part of the project, general techniques for modular and secure sandboxing of untrusted code will be designed. The scenario is that of untrusted code that needs to be loaded in the browser, and used for rendering the results of computation to the user while preventing network communication.
"There are many independently interesting applications scenarios for this type of sandboxing, such as loan or tax calculators, that need access to private financial information, which should not leave the browser. We will explore the limits of what can be achieved to isolate untrusted components of a web application" says Andrei Sabelfeld.
As an additional challenge, these security measures need to be adapted to be implemented with little to no impact on the systems performance noticeable to the user.
Professor Andrei Sabelfeld, Software Technology division, Computer Science and Engineering.firstname.lastname@example.org
Phone: +46 31 772 10 18
About the grant
Google received 950 applications in this year's call, and granted 151 of them.
The grant for "Securing Practical Web Applications" is 67,845.00 USDInformation about Google Research Awards