NSF Award
2426653
Over half of the world's 1.8 billion websites run on Content Management Systems (CMS). Unfortunately, CMS deployments make easy targets for attackers, as they are built from an amalgam of layered software and interpreters, with varying degrees of network and system permissions, which execute on an Internet-facing web server. This project develops program-analysis-centric techniques that enable the investigation and remediation of ongoing infections as well as hardening against future CMS compromises, with the goals of 1) understanding the intent and strategy of a CMS infection and tracing their root-cause attack vector for reliable remediation, 2) revealing dynamic and sophisticated attack behaviors in malware samples in a CMS infection, 3) hardening of CMS deployments against future attacks. This project benefits national security and economic stability by creating cyber forensics and vulnerability detection techniques for CMS websites and the financial, government, and private sector operations they support. It provides server-side script code including malicious scripts and vulnerable code to help train next-generation cybersecurity experts. Students from underrepresented minority groups are involved in research activities.<br/><br/>This project develops Doctor WHO, a CMS analysis framework which combines rapid evidence collection and advanced program analysis techniques for the investigation and remediation of infections and hardening against future CMS compromises. Specifically, the data-driven prediction framework, called TARDIS, is developed to understand the temporal correlation of attack evidence across a corpus of real-world websites. TARDIS enables the automated discovery of the artifacts of a compromise, fingerprinting of the attack's propagation, and rapid investigation of cyberattacks against CMS deployments. The project also develops Torchwood, a cross-language and cross-environment program analysis framework to effectively analyze highly dynamic and sophisticated malware targeting CMSs. Torchwood can handle advanced obfuscation and anti-analysis techniques applied to malware and reveal hidden malicious behaviors and intentions of the malware effectively. Lastly, the project develops UNIT that enables the hardening and securing of CMS deployments against future attacks. UNIT accomplishes this by enabling automated dynamic testing of CMS-backed websites without requiring any runtime environment resources. UNIT eliminates false alerts and provide proof-of-concept exploits via a set of new methods to identify and model dependencies of runtime resources and reconstruct missing resources using instrumented script interpreter engines.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
