Sai Lao Poeng

Archive for the ‘Technical’ Category

My project in MSc

Posted by sailaopoeng on February 16, 2010

This is about the project I am currently working. My project has 13 members of MSc students including me and 3 PhD students from same department. Our supervisor is Professor Dr. Tan from ICIS of EEE in NTU. The project is divided into 5 parts at first.

(1) Infeasible Path Detection in Java
(2) Infeasible Path Detection in C
(3) Security Auditing in Source Code base (esp. in Java)
(4) Security Auditing in Binary Code base
(5) Life Cycle Analysis for DB Application – PHP code

But after first semester, Prof. Tan re-grouped project groups into only 3 groups because Prof. thought 2 groups were not making progress, even for 6 months. Dismissed project parts are Infeasible Path Detection in C language and Life Cycle Analysis for DB Application. Our project’s life time is only one year with 2 semesters.

I am in Security Auditing in Source code base. We are using Java to audit security in Java web pages written in JSP. Tools we are using are Eclipse for Java and Soot Java Optimization framework; both are free open-source software. Eclipse is code editor and complier for Java. Soot is framework to analyse Java source code. Soot has very large framework and cover most of analysis part. I will write about Soot Framework later for more detail.

Our sub-group has 3 members of MSc student and one PhD student. We focus on SQL injection and cross site scripting on JSP pages. PhD student is Myanmar, same as me, and 2 other members are Indian. PhD student’s name is Ko Shar Lwin Khin. Other 2 members are Chandra and VJ. Ko Shar is just supervising us and mostly he provides us with theories and algorithms about how to deal with our project. My part is to audit cross site scripting while other two member deal with SQL injections. Still we are working on that project and project is some kind of halfway finished in basic level. But Prof. expects us to finish more advances before project sign out at the end of second semester. So we are still trying hard to finish our project.

Luckily, we got sample coding, which was using soot, from previous year project which help us a lot. But these sample codes are from difference background project so still we have to find out how to deal with our project. Sample codes help us how Soot is working so that we can apply soot on our own project. Let me go into detail technical view of our project.

As our nature of project is to audit security of Java Web Pages, we need Java Web Application source code written in JSP to analysis. For my part, which is cross site scripting, I have to go through web application’s source code and identify HTML outputs, which have dynamic variables whose value is assigned from “getParameter” or from database. Then I have to find out their “Control” and “Data” Dependency for each of HTML output lines. For Data Dependency, I also have to get transitive data dependency (D) until I reach the final definition of variable, mostly end at “getParameter” or “database”. For Control Dependency, control dependency for original HTML output line (C) and control dependency for data dependent lines (DC) are needed. We have to store all these and display our analysis data to user with User friendly GUI. That’s how it’s working.

Although it’s easy to describe it in one paragraph, we were working on this for the whole 7 months and our progress is not as much as we expected. I hope we can finish this up next few weeks so that we can begin for documentation work for final project sign out.


Posted in Java, MSc, NTU, Project, Technical | 4 Comments »