ASU engineer Adam Doupé looks to safeguard personal data through advanced automated vulnerability analysis tools

Nowadays, when a person wants to buy something over the internet they will type in their credit-card information, name and address without giving it a second thought. But a single vulnerability in a web application can allow an attacker to steal that personal information.

Adam Doupé, an assistant professor of computer science and engineering in Arizona State University’s Ira A. Fulton Schools of Engineering, wants to develop tools that can automatically find such vulnerabilities in a web application, so they can be found and remedied before an attacker can exploit them.

Doupé is developing these tools as part of a five-year, $416,585 National Science Foundation CAREER Award, “Next Generation Black-Box Web Application Vulnerability Analysis.”

“The inspiration for this project was my own experiences as a penetration tester for web applications,” said Doupé. “I realized that, as a human, when I am interacting with a web application, I am not only building a mental model of how the web application works, but I’m also trying to understand how the code of the web application was written. This is essentially reverse engineering the code of the web application.”

Doupé wondered if this idea could be applied to an automated tool. Could an automated tool reverse engineer the code of the web application simply through interacting with it?

“It turns out that there is a branch of machine learning, called inductive programming, that could help,” said Doupé. “Therefore, the project idea is to apply inductive programming techniques to automatically reverse engineer the source code of a web application, simply through interacting with it, then to identify vulnerabilities in the reverse-engineered source code of the web application. This should result in smarter tools that can find vulnerabilities as well as a human.” 

The growing need for secure data solutions keeps research such as Doupé’s in high demand.

“I think that the proposal was chosen because it features the combination of interesting and diverse research areas that are applied to an area with great impact,” Doupé said.

The excitement and potential of innovations helped draw Doupé to ASU.

“Everyone I talked to was positive and excited about their research,” said Doupé. “I knew that I wanted to be a part of the ASU family.”

ASU’s robust support system helped Doupé put together the successful proposal. He credits Steven Ayer, assistant professor of construction management and engineering; Stacy Esposito, director of Research Advancement in the Fulton Schools; and his fellow computer science and engineering faculty in helping to strengthen the proposal.