Home

Research

Job Application Materials

Links

Personal

Contact Info

Topics

I'm interested in advancing the scientific knowledge on software security and reliability. I work on a broad range of topics in analysis and testing, leveraging synergistically ideas from a variety of disciplines ranging from formal logic to low-level system implementation details.

I've applied program analysis techniques to prevalent web application security problems, namely cross-site scripting (XSS) and SQL injection. Both of these are input validation problems, and I've proposed formal characterizations of them, and designed and experiemented with runtime and compile-time approaches for preventing them (see this page for more on this topic). I find this a fascinating problem domain and I expect it to continue yielding many interesting research topics.

I've also done work with Jed Crandall, Daniela, and others on uses of the Dacoda project for dealing with sophisticated malware.

I spent the summer of 2007 and DoCoMo USA Labs working with Dachuan Yu, Ajay Chander, and Dinakar Durjhati on a technique for web application testing. This technique handles string operations, string values, and dynamic language features (all of which are common in web application scripting languages such as PHP) more precisely than previous techniques.

I've also done some work on XML type checking (see paper). The most interesting part of this work involved discovering and dealing with the subtleties of tree types. I spent the summer of 2005 at JPL working with Nicolas Rouquette on applying ideas from Category Theory to model-based engineering design.

Papers

Conference
				Dynamic Test Input Generation for Web Applications Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, Zhendong Su, ISSTA'08. (26%)
				Static Detection of Cross-Site Scripting Vulnerabilities Gary Wassermann, Zhendong Su, ICSE'08. (15%)
				Bezoar: Automated Virtual Machine-based Full-System Recovery from Control-Flow Hijacking Attacks Daniella A. S. de Oliveria, Jedidiah R. Crandall, Gary Wassermann, Shaozhi Ye, S. Felix Wu, Zhendong Su, Frederic T. Chong, NOMS'08. (27%)
				Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann, Zhendong Su, PLDI'07. (25%)
				Validity Checking for Finite Automata over Linear Arithmetic Constraints Gary Wassermann, Zhendong Su, FSTTCS'06. (22%)
				Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, Frederic T. Chong, ASPLOS'06. (22%)
				The Essence of Command Injection Attacks in Web Applications Zhendong Su, Gary Wassermann, POPL'06. (19%)
Workshop
				ExecRecorder: VM-Based Full-System Replay for Attack Analysis and System Recovery Daniela A. S. de Oliveira, Jedidiah R. Crandall, Gary Wassermann, Zhendong Su, S. Felix Wu, Frederic T. Chong, ASID'06 with ASPLOS'06.
				An Analysis Framework for Security in Web Applications Gary Wassermann, Zhendong Su, SAVCBS'04 with FSE'04. (43%)
Journal
				Static Checking of Dynamically Generated Queries in Database Applications Gary Wassermann, Carl Gould, Zhendong Su, Premkumar Devanbu, TOSEM.
Technical Reports and Unpublished Drafts
				Techniques and Tools for Engineering Secure Web Applications Gary Wassermann, Dissertation.
				A Type-based Dimensional Analysis for XQuery Zhendong Su, Gary Wassermann, Computer Science Division Tech Report.
				Type-based Inference of Size Relationships for XML Transformations Zhendong Su, Gary Wassermann, Draft

Co-Authors

• Ajay Chander
• Frederick T. Chong
• Jedidiah R. Crandall
• Prem Devanbu
• Dinakar Dhurjati
• Carl Gould
• Hiroshi Inamura
• Daniela A. S. de Oliveira
• Zhendong Su
• S. Felix Wu
• Shaozhi Ye
• Dachuan Yu