Automated Vulnerability Analysis for Modern Application Software

October 6, 2017
Versione stampabile

Time: October 6, 2017, h. 10.30 am
Location: Room Levico, Polo scientifico e tecnologico "Fabio Ferrari", Building Povo 2, via Sommarive 9, Povo (Trento)

Speaker

Giancarlo Pellegrino - Research group leader at CISPA (Center for IT Security, Privacy, and Accountability),  Saarland

Abstract

The complexity and pervasiveness of application software are growing rapidly. Nowadays, application software encompasses multiple devices, e.g., mobile and IoT,  and web services to perform operations ranging from online shopping and managing household appliances to controlling manufacturing processes. Like any other programs, application software has vulnerabilities that, when exploited,  can be used for financial fraud, stealing confidential data, and industrial espionage.

Unfortunately, existing automated vulnerability analysis techniques are inadequate to tackle the complexity reached by these programs, thus leaving them exposed to attackers. My main research topic intends to stop this emerging trend and lay the foundation for the next-generation automated vulnerability analysis techniques.

This talk focuses on the detection power and attack surface coverage challenges and presents two recent advances in the field. The first part of the talk presents Deemon, a tool that combines dynamic analysis and property graphs to mine Cross-Site Request Forgery, a long-neglected severe vulnerability. The second part of the talk presents jAEk, a new generation web application crawler that uses JavaScript dynamic analysis to increase the covered attack surface of web applications by 80%.

About the Speaker 

Giancarlo Pellegrino is currently a research group leader at CISPA. His main research interests include all aspects of application security especially web security and automated vulnerability analysis. He has been selected for the CISPA-Stanford Center for Cybersecurity, and he will be soon appointed to a visiting assistant professor at Stanford University. Prior to that, Giancarlo was a postdoctoral researcher at CISPA and TU Darmstadt, Germany. During his doctoral studies, Giancarlo was a member of the S3 group at EURECOM, in France, under the supervision of Prof. Davide Balzarotti. Until August 2013, he was a researcher associate in the "Security and Trust" research group at SAP SE.

Contact Person Regarding this Talk: Prof. bruno.crispo [at] unitn.it (Bruno Crispo)