Project Description
Traditional applications are structured either as pipelines (consuming inputs and producing outputs, following a paradigm pioneered by the UNIX operating system) or as interactive applications that react to user-generated events (such as clicking on a menu item in a graphic user interface). The ability of browsers to perform asynchronous web requests (through XML-RPC), combined with programmatic access to the Document Object Model of a web page, has revolutionized the concept of traditional applications, creating a new class of service-based applications, such as Gmail, Facebook, or Office365.
The transition from traditional applications to Software-as-a-Service (SaaS) applications has brought new scalability and flexibility requirements. These requirements are met by structuring applications as endpoints that can be called independently, moving the burden of keeping a consistent application state to a well-defined centralized component, such as a cloud storage system or a database. Even though this approach allows one to componentize the application design, it introduces a number of challenges. For example, developers often design the API function points with a precise workflow in mind (e.g., a certain function can be called only after a particular check has been cleared), which is usually enforced by code executed on the user platform. However, nothing prevents an attacker from ignoring the intended workflow, and invoking an application’s endpoints in an unexpected order, or even in a concurrent way, resulting in unexpected behaviors.
The focus of this project is on deploying a series of microservice-based SaaS applications that can be used to test security analysis tools in a cloud-based environment. The creation of these applications can be based on existing open-source applications, or can be created from scratch. These applications, will be of reasonable complexity and will contain a number of security flaws.
The resulting dataset would be much needed ground truth that would enable and support research about the security of cloud-based SaaS applications.
Team Members
- Kelly Yan
- Daryl Ou
- Jeffrey Cao
- Krish Chaudhary
Professor and Mentors
- Prof. Giovanni Vigna and Prof. Christopher Kruegel
- Grad mentor: Noah Spahn
Meeting Time
- Meeting with the Professor
- Tuesdays at 3p
- Meeting with Grad mentor
- Tuesdays at 3p
- ERSP meeting with central mentors
- Chinmay: TBD
- Diba: TBD
- Group meeting:
- Sunday 10a to 12p
Links to Proposals and Presentation
- Instructor feedback: link
- Final Proposal (after instructor's feedback): link
- Final presentation: link