Mike Dalton : 2009 Security Workshop


Thursday, April 16, 2009
Location: Fisher Conference Center, Arrillaga Alumni Center

"Preventing Authentication and Authorization Bypass Attacks in Web Applications"


Authentication and authorization bypass are a crucial unsolved security flaw in modern web applications. Authentication bypass attacks occur when users are authenticated without presenting valid credentials. Authorization bypass attacks occur when missing or incorrect access control attacks allow malicious users access to access privileged resources. These attacks are very difficult to prevent as each web application typically creates its own authentication and access control framework.

This talk presents Nemesis, a system for inferring safe, correct authentication in web applications to prevent both authentication and authorization bypass attacks. We describe the Nemesis prototype, implemented by modifying the PHP interpreter, and present experimental results demonstrating that Nemesis protects real-world vulnerable web applications against these attacks.


Michael Dalton is a fourth-year PhD student under Professor Christos Kozyrakis. Michael's research interests are computer systems and computer security with an emphasis on designing Dynamic Information Flow Tracking (DIFT) systems for preventing software security vulnerabilities. His current research interests include preventing userspace and kernelspace buffer overflows using DIFT-aware CPUs, and preventing high-level web authentication vulnerabilities using DIFT-aware language interpreters.