Individualized Cybersecurity Research Mentoring (iMentor) Workshop 2023

Title: The Persistent Problem of Applications Insecurity

Abstract: Data is a critical resource and as such it is very often the target of cyber-attacks with a variety of goals, including data theft and ransom requests.  Today database systems provide several effective security controls and defenses, such as database encryption, fine-grained content and context-based access control, role-based access control, and logging capabilities for security relevant events. In addition, database systems supports a variety of authentication techniques, such as multi-factor authentication. However, there is a major weak point in data security: the applications. Once data is transmitted from a database to applications, the data is exposed to many risks if applications have vulnerabilities.

Unfortunately, applications and more in general software systems are still often insecure, despite the fact the “problem of software security” had been known to the industry and research communities for decades.  In the case of database applications,  for example, SQL injection vulnerabilities - known since more than 20 years, are still common; for example just in 2022, 1162 vulnerabilities with the type “SQL injections” were accepted as a common CVE (common vulnerability exposure). In this talk, I first briefly argue why the software security problem is more complex than ever. I then focus on the problem of SQL injection and other vulnerabilities, often occurring in database applications, and present an initial approach to automatically detect these vulnerabilities and "repair" them. I also cover the case of a more sophisticated attacker, able to tamper the application code.  I then move to discuss the problem of software supply-chain attacks and research directions.

Bio: Elisa Bertino is Samuel Conte professor of Computer Science at Purdue University. She serves as Director of the Purdue Cyberspace Security Lab (Cyber2Slab). Prior to joining Purdue, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory in San Jose (now Almaden), at Rutgers University, at Telcordia Technologies. She has also held visiting professor positions at the Singapore National University and the Singapore Management University.  Her recent research focuses on security and privacy of cellular networks and IoT systems, and on edge analytics for cybersecurity.  Elisa Bertino is a Fellow member of  IEEE, ACM, and AAAS. She received the 2002 IEEE Computer Society Technical Achievement Award for “For outstanding contributions to database systems and database security and advanced data management systems”, the 2005 IEEE Computer Society Tsutomu Kanai Award for “Pioneering and innovative research contributions to secure distributed systems”, the 2019-2020 ACM Athena Lecturer Award, and the 2021 IEEE 2021 Innovation in Societal Infrastructure Award. She received a Honorary Doctorate from Aalborg University in 2021 and a Research Doctorate in Computer Science from the University of Salerno in 2023.