Titulo Estágio
Assessing Web Services Security Using Malicious Data Injection
Área Tecnológica
Engenharia de Software
Local do Estágio
DEI-FCTUC
Enquadramento
Web services are increasingly being used in business and safety-critical environments and typically use a relational database to store and retrieve data, relying on this data to deliver service to clients. The executing services frequently assume that the data being manipulated is secure, which is not always the case. For instance, in composite web services environments (e.g., a business process) different services can use the same database to store and also share information. In such scenarios, malicious services (or simply carrying bugs) can store malicious data, which can take advantage of other applications' vulnerabilities and lead those applications (that rely on the stored data to provide service) to severe failures. The failure of a service application can have disastrous consequences for the parties involved (e.g., financial or reputation losses).
Objetivo
The goal of this work is to set the basis for an approach that is able to assess how vulnerable a service application can be to malicious data. We expect that the results can be used to suggest solutions for applications showing failures in presence of malicious data and to suggest problem prevention techniques during the development of new applications.
Plano de Trabalhos - Semestre 1
[Some tasks overlap and might be adjusted according to the course calendar for 2013-2014]
T1 (September-November): Knowledge transfer and state of the art literature review on application security and robustness.
T2 (November) Design of an attack model (e.g., malicious data), using the information gathered in task T1 as basis.
T3 (November-December): State of the practice review on practical (programming) fault-injection and wrapping techniques. Implementation of a proof-of-concept prototype over a selected database driver.
T3 (January): Writing the Intermediate report.
Plano de Trabalhos - Semestre 2
[Some tasks overlap and might be adjusted according to the course calendar for 2013-2014]
T4 (February-March): Implementation of an attack-injection tool that is able to emulate malicious data delivered from a database to a very simple service application. Includes the following sub-tasks:
- Creation of a simple web service with access to a single database table that contains one column per each data type defined in the attack model.
- Design of an Application Programming Interface, based on the attack model.
- Creation of a wrapper around the database driver in order to inject the faults at runtime.
- Implementation of all defined attacks.
- Definition and execution of tests (functional).
T5 (April): Application of the prototype to an in-house implementation of TPC-App, a web services performance benchmark.
T6 (April): Analyze the results and study of the applicability of an existent failure mode scale for services (used with success in previous research). Validation of the overall approach.
T7 (May): Write a research paper and submission to a top international conference on the Dependability or Services areas (e.g., IEEE/IFIP Dependable Systems and Networks, IEEE Services Computing Conference, International Conference on Service Oriented Computing).
T8 (June): Writing the thesis.
Condições
N/A
Observações
The work will be supervised by Prof. Nuno Laranjeiro with co-supervision by Prof. Marco Vieira. It will be carried out in the facilities of the Department of Informatics Engineering at the University of Coimbra (CISUC - Software and Systems Engineering Group), where a work place and necessary computer resources will be provided.
A scholarship might be available (not confirmed at the moment) for selected students.
Orientador
Nuno Laranjeiro
cnl@dei.uc.pt 📩