Nowadays, the web applications are the most used form for accessing to services and resources of enterprises. Since
their existence, they are known by its source code to contain vulnerabilities. These vulnerabilities when exploited
have been caused serious damages to enterprises, as seasonal reports have shown. therefore, to access to critical
services, such as services of health area, with vulnerable web applications is crucial for its well functionality. These
applications use and store sensitive and private data from patients, as clinic data from diagnostics and treatments
realized by them, either data for controlling hospital infections. Therefore, to store and access these data requires
trust in used applications, being crucial that they had been written with security aspects, for avoiding unwished attacks
that can disturb and/or interrupt critical services and access to those data unduly.
The SEAL project aims to make significant advances in security of web applications, developing a platform with tools that implement secure programming in applications written in server-side programming languages (e.g., PHP and .NET), once these languages are who process the users requests, such as access to databases. The platform will be constituted by three layers, namely, code representation, vulnerability detection, and code correction, that working together will allow the enterprises benefit of analysis, test and correction tools, for developing their applications, making them secure. More precisely, the project aims to make three main contributions. First, we will design an intermediate language (IL) able to represent code elements of different server-side programming languages, keeping their semantic and coherence, and with secure code features. Also, we will create compilers allowing the compilation from these languages to the IL. Secondly, we will define processing and analysis models for this languages, based on techniques of code analysis, such as static and symbolic execution, and machine learning applied to natural language processing (NLP), which will
In summary, the most significant expected results of the project are the following:
- An IL able to represent different server-side programming languages and code security features. This language will represent code elements and instructions from programming languages, removing their complexity and ambiguity, but maintaining their semantic.
- A survey of software security features necessary to be implemented in software and to understand which features are important to express/define in the IL.
- Two compilers for compiling PHP and .NET server-side languages to the IL. These compilers, in addition to compiling, will also maintain the correspondence between the source and compiled statements. This correspondence will be needed for identifying in the source language the vulnerabilities detected in the IL.
- A set of models to identify vulnerabilities on IL, employing several techniques used for searching faults in software.
- Definition of use cases where it is possible to exploit vulnerabilities.
- Three tools for processing the IL, searching for vulnerabilities and identifying them, using techniques, such as static analysis, symbolic execution and machine learning.
- A security code layer with different kind of protection mechanisms for removing vulnerabilities and testing web applications.
- The SEAL platform composed with all resulting tools.