SEAL: SEcurity progrAmming of web appLications
From Navigators
http://seal.lasige.di.fc.ul.pt
- Research Line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
- Sponsor: FCT
- Project Number: 029058
- Total award amount: 240K Euros
- Coordinator: Ibéria Medeiros
- Partners: FCUL, INESC-ID, Maxdata
- Start Date: Aug. 2018
- Duration: 47 months
- Keywords: Software security, Vulnerabilities, Web applications, Secure programming
- Team at FCUL: Researchers including Ibéria Medeiros, Nuno Ferreira Neves, David Matos, Paulo Antunes, Ana Fidalgo, Ricardo Morgado, Francisco Araujo, Miguel Moreira, João Caseirito, Nuno Durão, Bruno Matos, Jorge Martins, Miguel Oliveira
The SEAL project aims to make significant advances in security of web applications, developing the SEAL platform containing tools that implement secure programming in applications written in server-side programming languages (e.g., PHP and .NET). The platform will be constituted by three layers, namely, code representation, vulnerability detection, and code correction, where: an intermediate language able to represent server-side languages and secure code features will be defined; on this language, tools to perform code analysis to detect and identify vulnerabilities will be developed, employing code analysis and machine learning techniques; and a secure code layer to remove the vulnerabilities found automatically will be created. The SEAL platform, during its development and evaluation, will resort to use cases defined with the Maxdata enterprise, the market leader in software solutions to health services.
Publications
- Nuno Durão, “Discovery of Web Attacks by Inspecting HTTPS Network Traffic with Machine Learning and Similarity Search”, Master’s thesis, Mestrado em Segurança Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, May 2022.
- Claudio Martins, Ibéria Medeiros, “Generating Quality Threat Intelligence Leveraging OSINT and a Cyber Threat Unified Taxonomy”, ACM Transactions on Privacy and Security, vol. 25-3, no. 19, May 2022.
- João Caseirito, “Attacking Web Applications for Dynamic Discovering of Vulnerabilities”, Master’s thesis, Mestrado em Segurança Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Feb. 2022.
- Ibéria Medeiros, Nuno Neves, Miguel Correia, “Statically Detecting Vulnerabilities by Processing Programming Languages as Natural Language”, IEEE Transactions on Reliability, Jan. 2022.
- João Caseirito, Ibéria Medeiros, “Finding Web Application Vulnerabilities with an Ensemble Fuzzing (fast abstract)”, in In Proceedings of the 51st IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'21), Jun. 2021.
- João Caseirito, Ibéria Medeiros, “Improving Web Application Vulnerability Detection Leveraging Ensemble Fuzzing”, in In Proceedings of the International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE), Apr. 2021.
- Ana Fidalgo, “Detecting Web Vulnerabilities in an Intermediate Language Resorting of Machine Learning Techniques”, Master’s thesis, Mestrado em Ciência em Dados, Nov. 2020.
- Francisco Araujo, Ibéria Medeiros, Nuno Ferreira Neves, “Generating Tests for the Discovery of Security Flaws in Product Variants”, in In Proceedings of the International Workshop on Testing Extra-Functional Properties and Quality Characteristics of Software Systems (ITEQS), Oct. 2020.
- Ana Fidalgo, Ibéria Medeiros, Nuno Ferreira Neves, “Towards a Deep Learning Model for Vulnerability Detection on Web Application Variants”, in In Proceedings of the Workshop on Testing of Configurable and Multi-variant Systems (ToCaMS), Oct. 2020.
- Ibéria Medeiros, Nuno Ferreira Neves, “Effect of Coding Styles in Detection of Web Application Vulnerabilities”, in In Proceedings of the European Dependable Computing Conference (EDCC), Sept. 2020.
- Ricardo Morgado, Ibéria Medeiros, Nuno Ferreira Neves, “Towards Web Application Security by Automated Code Correction”, in In Proceedings of the International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE), May 2020.
- BrunoLourenco, “Vulnerabilities Detection at Runtime and Continuous Auditing”, Master’s thesis, Mestrado em Segurança Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Apr. 2020.
- Ibéria Medeiros, Miguel Beatriz, Nuno Ferreira Neves, Miguel Correia, “SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS”, IEEE Transactions on Reliability, vol. 68, no. 3, pp. 1168 – 1188, Sept. 2019.
- Francisco Araujo, “Generating software tests to check for flaws and functionalities”, Master’s thesis, Mestrado em Engenharia Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Sept. 2019.
- Francisco Araujo, Ibéria Medeiros, Nuno Ferreira Neves, “Geração de Testes de Software para Verificação de Faltas e Funcionalidades”, in Simpósio de Informática (INFORUM), Sept. 2019.
- Ricardo Morgado, “Invalidating web applications attacks by employing the right secure code”, Master’s thesis, Mestrado em Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Sept. 2019.
- Paulo Antunes, “Monitoring Web Applications for Vulnerability Discovery and Removal under Attack”, Master’s thesis, Mestrado em Engenharia Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Oct. 2018.
- Paulo Antunes, Ibéria Medeiros, Nuno Ferreira Neves, “Remoção Automática de Vulnerabilidades usando Análise Estática de Código Direcionada”, in Proceedings of the 10th Simpósio de Informática (INForum 2018), Coimbra, Portugal, Sept. 2018.
BibTeX
Navigators - SEAL projectCurrent projects: | VEDLIoT, SATO, ADMORPH, SEAL, AQUAMON, UPVN, REDBOOK, ThreatAdapt, SEL, Xivt |
---|---|
Past projects: | TCLOUDS, MASSIF, MAFTIA, RESIST NoE, DiSIEM, KARYON, HIDENETS, CORTEX, CRUTIAL, TRONE, SITAN, ReD, IRCoC, DIVERSE, CloudFIT, READAPT, REGENESYS, RC-Clouds, TACID, DARIO, RITAS, AJECT, MICRA, DEAR-COTS, COPE, DEFEATS, MOOSCO, TOPCOM, RE:DY, NORTH, Abyss, SUPERCLOUD, COST Action IC1402, SEGRID, BioBankCloud, PROPHECY, SAPIENT, SecFuNet, FTH-Grid, AIR-II, AIR, ESFORS, CaberNet, GODC, BROADCAST, CoDiCom, Delta-4, RAPTOR |