Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:Cornell University
  • Vitaly Shmatikov
  • (512) 473-8959
Award Date:11/06/2015
Estimated Total Award Amount: $ 450,104
Funds Obligated to Date: $ 450,104
  • FY 2012=$450,104
Start Date:09/01/2015
End Date:08/31/2017
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TWC: Small: Finding and Repairing Semantic Vulnerabilities in Modern Software
Federal Award ID Number:1565619
DUNS ID:872612445
Parent DUNS ID:002254837
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Sol Greenspan
  • (703) 292-7841

Awardee Location

Street:373 Pine Tree Road
Awardee Cong. District:23

Primary Place of Performance

Organization Name:Cornell University
Street:373 Pine Tree Road
Cong. District:23

Abstract at Time of Award

Software is responsible for many critical government, business, and educational functions. This project aims to develop new methods for finding and repairing some of the most challenging, poorly understood security vulnerabilities in modern software that have the potential to jeopardize the security and reliability of the nation's cyber infrastructure. The first objective of this project is to design and implement a robust program analysis framework that is capable of finding exploitable semantic bugs in modern applications, such as accidental omission of access-control checks, unintentional exposure of sensitive operations such as native calls and database queries to untrusted code or users, high-complexity control structures vulnerable to denial of service, misconfigurations of security policies, and other errors in programs' security logic. The second objective is to develop methods for automatically repairing semantic vulnerabilities by applying program transformations that insert correct implementations of appropriate security logic.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

I. Pustogarov, T. Ristenpart, V. Shmatikov "Using Program Analysis to Synthesize Sensor Spoofing Attacks." ASIA CCS, v., 2017, p..

Project Outcomes Report


This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

This project produced new technologies for identifying and repairing semantic security vulnerabilities in modern software, focusing especially on access-control code in Web and mobile applications. Contributions include a new method for discovering access-control bugs in server-side Web applications and automatically repairing them; a large-scale study of access-control vulnerabilities in client-side Web code; a new method for detecting code injection attacks on server-side Web applications; a new method for discovering security errors in SSL/TLS implementations; new access-control enforcement mechanisms for hybrid Web/mobile application frameworks; discovery of a new class of vulnerabilities in mobile advertising libraries and the design and implementation of new isolation mechanisms that prevent exploitation of these vulnerabilities; and new program analysis methods for automatic generation of sensor spoofing attacks.

The results of this project were disseminated via publications in top venues, including NDSS 2013 (two papers, one of which received the best student paper award), ACM CCS 2013, NDSS 2014, IEEE S&P 2014 (received the best practical paper award), WWW 2015 (two papers), NDSS 2016, NSDI 2016, and ASIA CCS 2017.

Software developed by this project has been widely disseminated as open source code. Many SSL/TLS developers, including those at Mozilla, have started using the frankencerts methodology for testing their SSL/TLS code. The NoFrak access-control mechanism for hybrid Web/mobile application development frameworks has been integrated into the open-source Apache Cordova project (under the name SecureToken), which provides the core functionality for dozens of thousands of mobile apps and is running on millions of Android phones. Our access-control methodology for preventing untrusted advertisements from inferring sensitive information about mobile users has been adopted by all major Android mobile advertising libraries.

The project supported multiple PhD students, all of whom have gone on successful careers in computer security and privacy research.  Two are tenure-track assistant professors, at Columbia University and KAIST, respectively; two are working as security engineers at Google and Yelp, respectively.

Last Modified: 11/05/2017
Modified by: Vitaly Shmatikov

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.