Bilkent University
Department of Computer Engineering


Detecting and Repairing Security Vulnerabilities in Web Applications


Prof. Dr. Tevfik Bultan
University of California

Since web applications are easily accessible, and often store a large amount of sensitive user information, they are a common target for attackers. In particular, attacks that focus on input validation and sanitization vulnerabilities are extremely effective and dangerous. To address this problem, we developed automated string analysis techniques that can identify web applications with erroneous or insufficient input validation and sanitization. Our approach (1) automatically extracts client- and server-side input validation and sanitization functions, (2) models them as deterministic finite automata (DFAs) using symbolic fixpoint computations, and (3) identifies errors in input validation and sanitization code by either checking the code with respect to manually specified attack patterns, or by identifying inconsistencies in input validation and sanitization operations at the client and server-side code. Furthermore, we developed automated repair techniques that strengthen the input validation and sanitization checks in order to eliminate identified vulnerabilities. We implemented these techniques in two tools: Stranger (STRing AutomatoN GEneratoR) and SemRep (SEMantic differential REPair), which are available at: Our evaluation demonstrates that these techniques are very promising: when applied to a set of real-world web applications, our techniques are able to automatically identify a large number of security vulnerabilities and repair them.

Short Bio: Tevfik Bultan is a Professor in the Department of Computer Science at the University of California, Santa Barbara (UCSB). His current research interests are in dependability of web software and services, automated verification, string analysis, and data model specification and analysis. He has more than 100 refereed research publications and has served on more than 50 technical program committees of international conferences and workshops. He co-chaired the program committees of the 9th International Symposium on Automated Technology for Verification and Analysis (ATVA 2011), the 20th International Symposium on the Foundations of Software Engineering (FSE 2012) which is the flagship conference of ACM SIGSOFT, and the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE 2013). He has served as the vice chair of the Department of Computer Science at UCSB from 2005 to 2009.

Tevfik Bultan was a keynote speaker at the 19th International Conference on Concurrency Theory (CONCUR 2008), the 6th ACM-IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE 2008), the 9th International Symposium on Formal Aspects of Component Software (FACS 2012), and the 2013 IFIP Joint International Conference on Formal Techniques for Distributed Systems (33rd FORTE / 15th FMOODS). He received a NATO Science Fellowship from the Scientific and Technical Research Council of Turkey (TUBITAK) in 1993, a Regents' Junior Faculty Fellowship from the University of California, Santa Barbara in 1999, a Faculty Early Career Development (CAREER) Award from the National Science Foundation in 2000, the ACM SIGSOFT Distinguished Paper Award in 2005 and 2014, and the Best Paper Award at the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE 2005).


DATE: 14 May, 2015, Thursday @ 10:40