School of Computer Science Professor Alessandro Orso and his former student William Halfond won the IEEE/ACM International Conference on Automated Software Engineering (ASE) 2020 Most Influential Paper award for their innovative program analysis work.
The award honors research that had the most impact out of the papers published that year. Orso and Halfond, who is now an associate professor at the University of Southern California, won for their paper, AMNESIA: Analysis and Monitoring for NEutralizing SQL-injection Attacks.
Amnesia is a fully automated technique for detecting and preventing one of the most catastrophic types of web application attacks.
SQL injection attacks (SQLIAs) inject malicious code into databases to expose information. This can lead to private information being leaked or even entire databases being corrupted. SQLIAs are one of the most prominent attack types, and at the time of this research, were considered the number-one threat for web applications.
Before Orso and Halfond introduced Amnesia, developers had to manually incorporate specific checks into their applications. This process was both time-consuming and prone to error.
Amnesia was the first fully automated techniques for detecting and preventing SQLIAs that was widely applicable and successful.
“Our approach was based on the intuition that developers implicitly provide, in the web application code, a policy on what kind of database requests are allowed,” Orso said.
With this in mind, Amnesia’s approach did three things:
- Extracted a policy from the code using static analysis
- Checked database requests against this policy
- Stopped requests that violated the policy, as they were likely SQLIAs
The paper made ripples in the program analysis community.
“Our paper was one of the first papers that successfully applied program analysis techniques to the problem of SQLIAs,” Orso said.
As a result, other research groups built on that work and its underlying idea. To date, the original paper has been cited over 700 times.
It also jump-started Orso’s career. The concept became the basis for a project sponsored by the Department of Homeland Security, Preventing SQL Code Injection by Combining Static and Runtime Analysis, in collaboration with Professor Wenke Lee.
Orso and Halfond continued to advance the SQLIAs detection and prevention area in both their careers. The work also motivated Orso’s research group to develop general testing and analysis techniques for web applications — work that ultimately became Halfond’s Ph.D. dissertation.
“Receiving this prestigious award from the research community for a paper already so close to my heart is a humbling, exciting, and incredibly rewarding experience that goes beyond my wildest expectations,” Orso said.