marco

The world wide web has changed dramatically from its beginnings. The handful of web pages that existed two decades ago have become more than one trillion, static pages have largely been substituted by dynamic content, and web applications providing a vast range of services (from online banking to e-commerce) are now commonplace. At the same time, the web has become the predominant mean for people to interact with each other, do business, and participate in democratic processes.

Unfortunately, the web has also become a more dangerous place. In fact, web-based attacks are now a prevalent and serious threat. These attacks target both web applications, which store sensitive data (such as financial and personal records) and are trusted by large user bases, and web clients, which, after a compromise, can be mined for private data or used as drones of a botnet. The magnitude of these problems has prompted a number of efforts within the security community towards improving the security of the web. In particular, a number of techniques have been proposed to identify vulnerabilities in web applications before they are deployed, and to detect and analyze attacks against web applications and web browsers.

The current state-of-the-art, however, fails to address several interesting challenges. In particular, vulnerability analysis tools for web applications are often limited in the type of vulnerabilities that they can detect. Flaws that require multiple interactions with the applications in order to be exposed, such as stored SQL injections, and those that depend on application-specific security policies, such as authentication bypasses, are especially difficult to identify. Similarly, tools to detect attacks against web clients are difficult to configure, can be evaded, and offer limited explanatory power.

In this dissertation, we present the approaches and the techniques that we developed to ameliorate the security problems found on today's web. In particular, on the web application side, the problems of detecting multi-step vulnerabilities and insufficient sanitization are addressed through the use of static analysis techniques. Furthermore, a first step toward the detection of a class of attacks that violate application-specific policies is done by using anomaly detection and likely invariant learning techniques. On the client side, we discuss how we use a combination of emulation and anomaly detection techniques to identify malicious web pages that launch drive-by-download attacks against their visitors. Finally, we will also discuss several measurements that we performed in the context of phishing and botnets to better understand the modus operandi of the attackers and their tools and strategies.