I thought recently about the ways in which folks who are looking for research projects in web app sec might make a useful contribution to the field. Part of that is the list of impossible tasks – those tasks that are so hard that it is unlikely to be solved in my lifetime. If you solve these, you’re a rocket scientist.
- Universal XSS Prophylactic – it seems simple enough – blow XSS out of the water. In all code for all time. We know how to do it well enough, but how do you solve it for all that crappy code still running? Think of a design pattern, injection, or mechanism that will blow XSS out of the water with minimal changes to existing code. Don’t say h().
- The No Injection Design Pattern. Almost all of our major commercially successful protocols are mixed data / program (i.e. not Harvard Architecture). Think about a design pattern, architecture, or API that allows ANY arbitrary protocol (SNMP through XML) to have no injections. This is not just about prepared statements, this is about taking an injectable grammar, and transforming it into a work of uninjectable beauty that is orthogonal and deep. There is previous work in this area (and you’ll be off to good start if you know who wrote it and include them in your research team).
- Common Off the Shelf Anti-Corruption Business Processes. Realistically, we’re here to support solutions, not enable security “features”. There’s no value to be had from security per se; we are the guardians against dumb luck and bad risk. There should be a open source business process library that is resistant to fraud, corruption, coercion and bribery, as well as just going from Step 1 to Step 10. Think of how a simple process of acquiring pens from the office supplies cupboard should be built compared to say acquiring a data center populated with 3843 servers. Or was that 3842 servers?
- Working with infected platforms. Financial institutions know that a certain percentage of their customers are infected with malware. At one institution I worked at, it was approximately 35% of a Certain Popular Operating System had at least one, and more often 10 or more different pieces of malware installed, ranging from hostile toolbars all the way through to Banking trojans. We knew absolutely that their computers would most likely steal their logins, and try to steal their funds. Think about ways you can perform “trusted” computing on a clearly untrustable platform. Booting a LiveCD is not going to cut it for my Mum. Think harder. This one will make you millions if not billions if you do it right.
- Creating a math or notation for access control that “proves” protection. This one is a big one. Many a time, we do code reviews and penetration tests and find insecure end points – client, presentation, controller, model, or data and we can exploit them. We shouldn’t be able to find these at all – your compiler and IDE should alert developers to leakage of secured data / functions. Come up with a notation or mechanism that can be easily parsed by compilers that helps prove that every piece of secured data and secured function is protected end to end. You must satisfy “principle of least privilege”, “default deny”, “fail safely”, and “complete mediation” principles.
Some of these items are dealt with by OWASP’s ESAPI, others by the judicious use of WAFs. But there is huge scope with billions of lines of legacy code hanging out there in any number of languages and frameworks. These are simply never going to be fixed, and yet we rely on them to keep the lights on, water flowing and sewerage flushing. Literally. These are the first five that I think are worthy of top class researchers. Go for it.