CREU 2007

\|\|\|\|
\|\|\|\|

\|\|\|\|
Home Hypothesis Progress Researchers Unbound CREU	Security Enhancements Alex Raymond Semester 2: 5/8: Final set of code for the content management system submitted; final paper completed and submitted. 4/30: Presented at the Celebration of Student Achievement. 4/9-4/23: Merger of final security and interface code; implementation of developed security code on every page of the new unbound site, including testing and scanning using Paros. 4/2: First draft of final project paper submitted. 3/26: Completion of prepare statement and htmlentities() implementation. 3/12 - 3/16: Attended SIGCSE 2008 in Portland, Oregon. Presented at the ACM Student Research Competition. View poster here. 3/5: Completion of poster for SIGCSE 2008, other conference preparations. 2/27: Prepared statements in site forms operational. Began using Paros web scanner to analyze security vulnerabilities on original website as well as site with new security code. 2/20: Merging of security code with new interface. 2/13: Interview with Dr. Kim Pearson regarding current and future unbound functionality. 2/6: First draft of poster for SIGSCE. Further research into security analysis. Merger of new security code with new interface code. Huang, Y., et. al. 2003. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web. ACM Press. Livshits, V., and M. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium. ACM Press. 1/30/08: Research into security analysis and benchmarks. Huang, Y., et. al. 2004. Securing Web Application Code by Static Analysis and Runtime Protection. In WWW '04: Proceeedings of the 13th international conference on World Wide Web. ACM Press. Semester 1: 12/12: Final version of first-semester paper handed in. View here. 12/5: Practicum presentations. View poster here. 11/27: Poster draft completed, continued work on PHP security, specifically file upload security. 11/6-20: Implementation of PHP security measures, including: session ID regeneration improved password encryption checking for form completion session inactivity time limit 10/23-30: Research into PHP-specific security measures, look into current Unbound code. Shiflett, C. 2006. Essential PHP Security. O'Reilly Media, Inc., Sebastopol, CA. Powers, D. 2006. PHP Solutions: Dynamic Web Design Made Easy. Apress. 10/16: Learning PHP basics Sklar, D., and Trachtenberg, A. 2006. PHP Cookbook, 2nd ed. O'Reilly Media, Sebastopol, CA. PHP Manual. 2007. http://www.php.net. 10/9: Met with Dr Pearson, advisor for Unbound, regarding roles of various editors and the flow of an article or other media through the editing process. 10/2: Abstract completed for SIGCSE Student Research Competition. View here. 9/25: Expanded research into other security issues in web applications. Reading from: Solomon, M.G., and M. Chapple. 2005. Information Security Illuminated. Jones and Bartlett Publishers, Salisbury, MA. 9/11: Continued research into ACM papers on SQL injection in web applications, as well as more basic security precautions. Halfond, W.G.J., and A. Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated software engineering. ACM Press. Su, Z., and G. Wassermann. 2006. The essence of command injection attacks in web applications. In Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. Volume 41 Issue 1. ACM Press. 9/5: Research into SQL injection and how it can be detected and prevented. Articles include: Buehrer, G., B. Weide, and Sivilotti, P.A.G. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware. ACM Press. Halfond, W.G.J., and A. Orso. 2005. Combining static analysis and runtime monitoring to counter SQL injection attacks. In ACM SIGSOFT Software Engineering Notes, Proceedings of the third international workshop on Dynamic analysis. Volume 30 Issue 4. ACM Press. Rietta, F.S. Application layer intrusion detection for SQL injection. 2006. In Proceedings of the 44th annual southeast regional conference. ACM Press.

\|\|\|\|
\|\|\|\|

\|\|\|\|
Home Hypothesis Progress Researchers Unbound CREU	Security Enhancements Alex Raymond Semester 2: 5/8: Final set of code for the content management system submitted; final paper completed and submitted. 4/30: Presented at the Celebration of Student Achievement. 4/9-4/23: Merger of final security and interface code; implementation of developed security code on every page of the new unbound site, including testing and scanning using Paros. 4/2: First draft of final project paper submitted. 3/26: Completion of prepare statement and htmlentities() implementation. 3/12 - 3/16: Attended SIGCSE 2008 in Portland, Oregon. Presented at the ACM Student Research Competition. View poster here. 3/5: Completion of poster for SIGCSE 2008, other conference preparations. 2/27: Prepared statements in site forms operational. Began using Paros web scanner to analyze security vulnerabilities on original website as well as site with new security code. 2/20: Merging of security code with new interface. 2/13: Interview with Dr. Kim Pearson regarding current and future unbound functionality. 2/6: First draft of poster for SIGSCE. Further research into security analysis. Merger of new security code with new interface code. Huang, Y., et. al. 2003. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web. ACM Press. Livshits, V., and M. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium. ACM Press. 1/30/08: Research into security analysis and benchmarks. Huang, Y., et. al. 2004. Securing Web Application Code by Static Analysis and Runtime Protection. In WWW '04: Proceeedings of the 13th international conference on World Wide Web. ACM Press. Semester 1: 12/12: Final version of first-semester paper handed in. View here. 12/5: Practicum presentations. View poster here. 11/27: Poster draft completed, continued work on PHP security, specifically file upload security. 11/6-20: Implementation of PHP security measures, including: session ID regeneration improved password encryption checking for form completion session inactivity time limit 10/23-30: Research into PHP-specific security measures, look into current Unbound code. Shiflett, C. 2006. Essential PHP Security. O'Reilly Media, Inc., Sebastopol, CA. Powers, D. 2006. PHP Solutions: Dynamic Web Design Made Easy. Apress. 10/16: Learning PHP basics Sklar, D., and Trachtenberg, A. 2006. PHP Cookbook, 2nd ed. O'Reilly Media, Sebastopol, CA. PHP Manual. 2007. http://www.php.net. 10/9: Met with Dr Pearson, advisor for Unbound, regarding roles of various editors and the flow of an article or other media through the editing process. 10/2: Abstract completed for SIGCSE Student Research Competition. View here. 9/25: Expanded research into other security issues in web applications. Reading from: Solomon, M.G., and M. Chapple. 2005. Information Security Illuminated. Jones and Bartlett Publishers, Salisbury, MA. 9/11: Continued research into ACM papers on SQL injection in web applications, as well as more basic security precautions. Halfond, W.G.J., and A. Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated software engineering. ACM Press. Su, Z., and G. Wassermann. 2006. The essence of command injection attacks in web applications. In Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. Volume 41 Issue 1. ACM Press. 9/5: Research into SQL injection and how it can be detected and prevented. Articles include: Buehrer, G., B. Weide, and Sivilotti, P.A.G. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware. ACM Press. Halfond, W.G.J., and A. Orso. 2005. Combining static analysis and runtime monitoring to counter SQL injection attacks. In ACM SIGSOFT Software Engineering Notes, Proceedings of the third international workshop on Dynamic analysis. Volume 30 Issue 4. ACM Press. Rietta, F.S. Application layer intrusion detection for SQL injection. 2006. In Proceedings of the 44th annual southeast regional conference. ACM Press.

Security Enhancements