Master of Technology, CS Indian Institute of Technology, Kanpur CPA: 7.71/10.0

Transcription

1 1/5 Prithvi Bisht 1500 Harbour Dr, Unit 4D, Wheeling, Illinois, T B p b i s h c s. u i c. e d u, b i s h t s p y a h o o. c o m WWW: pbisht Overview Extensive experience spanning 10+ years of Research and Development activities: 6 years in intensive and cutting-edge computer security research that resulted in several innovative, novel ideas and prototype tools for finding and fixing security vulnerabilities, 4+ years in software industry that resulted in contributions to in-market as well as future products of companies such as Intel. I am interested in designing and developing innovative, pragmatic and effective solutions to combat computer security issues. My expertise is in Language-based security solutions i.e., prevent / eliminate / detect vulnerabilities through program analysis and retrofitting. My doctoral dissertation titled Improving Web Security by Automated Extraction of Web Application Intent observed that the source code of a web application contains a wealth of information about its intended behavior. Typically, attacks manifest by tricking applications to yield unintended behaviors. This dissertation offers novel techniques that generate models of intended behavior through program analysis and then use them to prevent / eliminate attacks (enforce conformance to the model) or to find concrete attacks (find lapses in model enforcement). Education Doctor of Philosophy, CS University of Illinois at Chicago GPA: 4.0/4.0 Aug Aug 2011 Advisor: Prof. V.N. Venkatakrishnan Master of Technology, CS Indian Institute of Technology, Kanpur CPA: 7.71/10.0 Jul Feb 2002 Advisor: Prof. Rajat Moona Bachelor of Engineering, CS G.B. Pant Engineering College Percentage: 80% (honors) Jun Jun 2000 Skills Research: Security analysis of systems/solutions, problem identification, theoretical analysis, solution development & concept prototyping, author academic literature & research proposals, collaboration, knowledge extraction & critical review of academic literature. Software Engineering: Conception, design, implementation, optimization, debugging, documentation, support and growth of small to large, long-term software development projects Computer Languages: C, Java, L A TEX, JavaScript, Perl, Shell script, PHP, SQL Employment Experience Postdoc Research Associate Jul 2011 Sep 2012 University of Illinois at Chicago, Department of Computer Science, Chicago, IL, USA Shaped ideas and spearheaded efforts on designing an effective solution for preventing parameter tampering exploits. Submitted a grant proposal to NSF for funding parameter tampering research. Co-Founder and Partner Apr 2012 Sep 2012 Aegilys Inc., Chicago, USA Participated in 7 Week intensive National Science Foundation (NSF) I-Corps program to assess business feasibility of ideas. Developed a business model (Osterwalder Canvas) with key components such as value propositions, key customers, channels, revenue streams, etc., and refined these with customer interviews. Interviewed over 70 potential customers (CEOs, Managers, Developers) ranging from Fortune-500 companies to small startups to identify key customer needs in the application security domain. Spearheaded efforts in writing and submitting an NSF Small Business Innovation Research (SBIR) grant. 1

2 Prithvi Bisht 2/5 Research Assistant Jan 2007 Jul 2011 University of Illinois at Chicago, Department of Computer Science, Chicago, IL, USA Studied security issues in Web applications. Proposed solutions for mitigation of top security threats including SQL-injection, Cross-site scripting and Cross-site request forgery. Proposed novel ways of finding high impact vulnerabilities in commercial web applications (online banking / shopping). Published research papers in top tier security conferences and participated in preparation of grant proposals to NSF. Peer reviewed academic conference papers and journal articles. Prototyped and evaluated several research ideas. Doctoral Intern May 2010 Aug 2010 SRI International, Computer Science Lab, Menlo Park, CA, USA Analyzed malicious Flash applications and prepared a categorized knowledge base. Studied existing literature on security analysis of binary applications. Proposed a novel scheme to find and prevent Zero-day attacks in binary applications. Senior Software Developer Jul 2003 Jul 2006 Intel Corporation, Bangalore, India Designed and developed software for concept platforms of Intel. Proposed novel ideas that showcased hardware strength. Prototyped and prepared demos for higher management to get seed money for projects. Interfaced with Bluetooth stack vendors (Toshiba Japan, IVT China) as the sole technical contact. Published patentable ideas at Senior Software Developer Mar 2002 Jul 2003 Novell Inc., Bangalore, India Developed software to provide location independent secure access to the corporate information. Teaching/Research Assistant Jul 2000 Feb 2002 Indian Institute of Technology Kanpur, Department of Computer Science, Kanpur, India Developed an architecture-independent disassembler. Studied hands-on security (buffer overflows, trojan horses, packet sniffers). Mentored tutorial sessions and graded assignments for undergraduate class Introduction to Programming. Publications Refereed Conference Papers 1. Dont Repeat Yourself: Automatically Synthesizing Client-side Validation Code for Web Applications (Demo Paper). Nazari Skrupsky, Maliheh Monshizadeh, Prithvi Bisht, Timothy Hinrichs, V.N. Venkatakrishnan, and Lenore Zuck. In WEBAPPS 12: Proceedings of the 3rd Usenix Conference on Web Application Development Boston, MA, USA, SWIPE: Eager Erasure of Sensitive Data in Large Scale Systems Software. Kalpana Gondi, Prithvi Bisht, A. Prasad Sistla and V.N. Venkatakrishnan. In CODASPY 12: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy San Antonio, TX, USA, 2012, Acceptance Rate = 21 / 113, 18%. 3. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and V.N. Venkatakrishnan. In CCS 11: Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, 2011, Acceptance Rate = 60 / 429, 14%. 2

3 Prithvi Bisht 3/5 4. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz and V.N. Venkatakrishnan. In CCS 10: Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, 2010, Acceptance Rate = 55 / 320, 17%. 5. TAPS: Automatically Preparing Safe SQL Queries (Poster Paper). Prithvi Bisht, A. Prasad Sistla and V.N. Venkatakrishnan. In CCS 10: Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, 2010, Acceptance Rate = 44 / 69, 64%. 6. Automatically Preparing Safe SQL Queries. Prithvi Bisht, A. Prasad Sistla and V.N. Venkatakrishnan. In FC 10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain, 2010, Acceptance Rate = 19 / 130, 14.6%. 7. Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation. Michelle Zhou, Prithvi Bisht and V.N. Venkatakrishnan. In ICISS 10: Proceedings of the 6th International Conference on Information Systems Security, Gandhinagar, Gujarat, India, 2010, Acceptance Rate = 14 / 51, 27%. 8. XSS-GUARD: Precise Dynamic Prevention of Cross-site Scripting Attacks. Prithvi Bisht and V.N. Venkatakrishnan. In DIMVA 08: Proceedings of the 5th Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Paris, France, 2008, Acceptance Rate = 13 / 42, 31%. 9. CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations. Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan and V.N. Venkatakrishnan. In CCS 07: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, 2007, Acceptance Rate = 55 / 302, 18%. Refereed Journal Articles 10. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. Prithvi Bisht, P. Madhusudan and V.N. Venkatakrishnan. ACM Trans. Inf. Syst. Secur., Volume 13, Number 2, 2010, New York, NY, USA. Refereed Workshop Papers 11. Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw, Prithvi Bisht and V.N. Venkatakrishnan. In 2nd Workshop in Web 2.0 Security and Privacy, Oakland, CA, USA, Acceptance Rate = 14 / 45, 31%. Invited Papers 12. WebAppArmor: A Framework for Preventing Web-based Attacks. V.N. Venkatakrishnan, Prithvi Bisht, Mike Ter Louw, Michelle Zhou, Kalpana Gondi and K. T. Ganesh. In ICISS 10: Proceedings of the 6th International Conference on Information Systems Security, Gandhinagar, Gujarat, India, Book Chapters 13. Formal Methods in Web Application Security. Prithvi Bisht and V.N. Venkatakrishnan. To appear in Encyclopedia of Cryptography and Security, 2nd Ed., Springer, (Editors: Henk C.A. van Tilborg and Sushil Jajodia). Patents 14. Apparatus for Enhancing Web Application Security and Method Therefor. US Patent Number: , with V.N. Venkatakrishnan and A. Prasad Sistla. 15. Methods for Automatically Discovering Parameter Tampering Exploits in Web Applications. Filed provisional patent to US Patent Office, with Nazari Skrupsky, Timothy Hinrichs, Nazari Skruspky, and V.N. Venkatakrishnan. 3

4 Prithvi Bisht 4/5 Under Submission 1. TamperProof: A Server-Agnostic Defense for Parameter Tampering Attacks on Web Applications. with Nazari Skrupsky, Timothy Hinrichs, Lenore Zuck and V.N. Venkatakrishnan. 2. WAVES: Automatic Synthesis of Client-side Validation Code for Web Applications. with Nazari Skrupsky, Maliheh Monshizadeh, Timothy Hinrichs, V.N. Venkatakrishnan, and Lenore Zuck. Online Demos of Developed Software 1. TAPS Online Demo: Demonstrates re-writing of SQL injection vulnerable code samples to equivalent safe PREPARE statements based code (Refer to publications [5, 6]). This tool entailed complex engineering to build an understanding of vulnerable parts of the software, re-produce the safe equivalent code, and in handling many features of PHP language. 2. WAPTEC Online Demo: Demonstrates re-writing of PHP programs to capture traces that represent statements executed in a specific run of the web application (Refer to publication [3]). This tool entailed complex engineering to handle challenges posed by weak typing of PHP language (in propagating taint etc.). 3. TamperProof Online Demo: Demonstrates effectiveness of TamperProof (solution to prevent parameter tampering attacks currently under submission). This tool entailed challenges in achieving acceptable performance for an online defense. Professional Activities Program Committee: International Conference on Information Systems Security (ICISS): 2012 Peer-reviewed research articles for: IEEE Security & Privacy (Oakland): 2010, 2011, 2012 Network & Distributed Systems Security (NDSS): 2011 ACM Computer & Communications Security (CCS): 2009 Recent Advances in Intrusion Detection (RAID): 2008, 2010 Annual Computer Security Applications Conference (ACSAC): 2008, 2009, 2010, 2011 World Wide Web (WWW): 2012 Computer Security Foundations Symposium (CSFW): 2009 Journal of Computer Security (JCS): 2009 IET Information Security Journal (ISJ): 2011 Journal of Software Practice and Experience (JSPE): 2008 Web 2.0 Security and Privacy (W2SP): 2011 International Conference on Information Systems Security (ICISS): 2011 Volunteered services: Contributed to summaries of paper presentations, poster sessions and work-in-progress talks for Usenix Security 2010, Washington, DC, USA and Usenix Security 2009, Montreal, Canada Local Arrangements: ACM Computer and Communications Security (CCS): 2009, 2010 and International Conference on High Performance Computing (HiPC): 2006 Presentations WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Paper presentation, CCS conference, Chicago, IL, USA, Web Application Security: Trends and Mitigation through Source Code Analysis. Dasient, Sunnyvale, USA, Mar 2011 AT&T Security Research Center, New York, USA, Feb 2011 SRI International, Computer Science Lab Seminar, Menlo Park, USA, Dec

5 Prithvi Bisht 5/5 NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications Poster presentation, Computer Security Awareness Week (CSAW), NY, USA, Oct 2010 Paper presentation, CCS Conference, Chicago, USA, Oct 2010 Rump session presentation, Usenix Security Symposium, Washington, USA, Aug 2010 Taps: Automatically Preparing Safe SQL Queries Paper presentation, FC Conference, Tenerife, Spain, Jan 2010 Poster presentation, CCS Conference, Chicago, USA, Oct 2010 XSS-Guard: Precise Dynamic Prevention of Cross-site Scripting Attacks. Paper presentation, DIMVA Conference, Paris, France, Jul 2008 Candid: Preventing SQL Code Injection Attacks Work-in-progress presentation, Usenix Security Symposium, Boston, Aug 2007 Poster presentation, Midwest Security Workshop, Chicago, Oct 2007 Honors and Distinctions NoTamper project was among the 10 finalists in NYU-Polytechnic Computer Security Awareness Week competition 2010 (open to all students in the Continental USA). Research work featured in news Oct 2010: Oct 2010: Oct 2009: Student travel grants: 16 th, 18 th and 19 th Usenix Security Symposium (2007, 2009, 2010) All India Rank 52, Graduate Aptitude Test of Engineering, India, 2000 (99.06 percentile). Security Relevant Coursework at UIC Advanced Web and Electronic Voting Security Codes & Cryptography Formal Methods in Concurrent and Distributed Systems Computer Systems Security Secure Computer Systems Network and Distributed Systems Security 5