SEAL - SEcurity progrAmming of web appLications

The SEAL project aims to make significant advances in security of web applications, developing the SEAL platform containing tools that implement secure programming in applications written in server-side programming languages (e.g., PHP and Java). The platform will be constituted by three layers, namely, code representation, vulnerability detection, and code correction, where: an intermediate language able to represent server-side languages and secure code features will be defined; on this language, tools to perform code analysis to detect and identify vulnerabilities will be developed, employing code analysis and machine learning techniques; and a secure code layer to remove the vulnerabilities found automatically will be created. The SEAL platform, during its development and evaluation, will resort to use cases defined with the Maxdata enterprise, the market leader in software solutions to health services.

O projeto SEAL visa fazer avanços significativos na segurança de aplicações web, desenvolvendo uma plataforma com ferramentas que implementam programação segura em aplicações escritas em linguagens de programação server-side.

Project Information:

• Project ID: PTDC/CCI-INF/29058/2017, LISBOA-01-0145-FEDER-029058, POCI-01-0145-FEDER-029058
• Project number: 029058
• Start date: 01-Agt-2018
• End date: 30-Jun-2022
• Project cost (total): € 219361.56
• Project funding (total): € 219361.56
• FEDER funding: € 104224.71
• Programme type: FCT/MCTES (PIDDAC)/FEDER
• Programme acronym: AAC nº 2/SAICT/2017

Consortium:

FCiências/LASIGE (coordinator)
• INESC-ID
• Maxdata

Team at INESC-ID:

• Miguel Correia
• David R. Matos
• Alexandra Figueiredo
• Mihail Brinza

Main results at INESC-ID:

• Ibéria Medeiros, Nuno F. Neves, Miguel Correia. Statically Detecting Vulnerabilities by Processing Programming Languages as Natural Languages. IEEE Transactions on Reliability, volume 71, issue 2, pp 1033-1056, June 2022 (pdf)
• David Matos, Miguel Pardal, Miguel Correia. Sanare: Pluggable Intrusion Recovery for Web Applications. IEEE Transactions on Dependable and Secure Computing (TDSC), accepted for publication, 2022 (pdf)
• Ibéria Medeiros, Miguel Beatriz, Nuno Neves and Miguel Correia. SEPTIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS. IEEE Transactions on Reliability, 68(3): 1168-1188, 2019 (pdf)
• Mihail Brinza, Miguel Correia, João Pereira. Virtual Static Security Analyzer for Web Applications. In Proceedings of Trustcom 2021, August 2021 (pdf, software)
• Alexandra Figueiredo, Tatjana Lide, David Matos and Miguel Correia. MERLIN: Multi-Language Web Vulnerability Detection. In Proceedings of the 19th IEEE International Symposium on Network Computing and Applications (NCA), Nov. 2020 (pdf, software)
• Alexandra Figueiredo, Tatjana Lide and Miguel Correia. Multi-Language Web Vulnerability Detection (fast abstract). In Proceedings of ISSRE 2020, October 2020 (pdf)