[Colloq] Hiring Talk: Friday, April 17 - William Robertson, 11:30am

[Rachel Kalweit]

The College of Computer and Information Science Colloquium presents a Hiring Talk by:

William Robertson
University of California, Santa Barbara

Friday, April 17
11:30am
366 West Village H

TITLE:
Detecting and Preventing Attacks Against Web Applications

ABSTRACT:
During the last decade, web applications have become an extremely
popular method of providing a diverse array of services to users.
Unfortunately, web applications have been found to contain large numbers
of vulnerabilities, most notably -- but in no way limited to --
cross-site scripting (XSS) and SQL injection.  Consequently, web
applications have also become a favored target of cyber-criminals, who
leverage web application vulnerabilities to steal sensitive information
or host malicious software.  In the absence of mitigating improvements
in security, this trend is expected to continue as web applications
increase in complexity and, accordingly, in attack surface.

In this talk, I will approach the problem of securing web applications
from two complementary angles.  First, I will present my work on the
anomaly-based detection of attacks against web applications, an
effective black-box technique for protecting existing web applications.
In this context, I will discuss webanomaly, a tool that incorporates
online unsupervised machine learning techniques to automatically
characterize the normal behavior of web applications in order to detect
and prevent a variety of attacks against both web servers and clients.
Then, I will present recent work on developing next-generation web
application frameworks that are free of common classes of
vulnerabilities by construction.  In particular, I will discuss a
language-based approach to statically preventing the introduction of
cross-site scripting and SQL injection vulnerabilities in web
applications.

BIO

William Robertson is a Ph.D. Candidate at the University of California,
Santa Barbara, and is co-advised by Dick Kemmerer and Giovanni Vigna.
His research interests include web application security, intrusion
detection, malware analysis, and electronic voting systems.  He was a
Red Team member in both the California TTBR and Ohio EVEREST reviews of
electronic voting systems, and discovered critical vulnerabilities in
the iVotronic and ES&S voting systems.  He was also a co-founder of
WebWise Security, Inc., a Santa Barbara-based security consulting firm
that provides penetration testing and source code auditing services to
clients worldwide.  William will graduate in June 2009.

HOST: Guevara Noubir