Modeling Security Weaknesses to Enable Practical Run-time Defenses William Melicher 10.1184/R1/9735716.v1 https://kilthub.cmu.edu/articles/thesis/Modeling_Security_Weaknesses_to_Enable_Practical_Run-time_Defenses/9735716 Security weaknesses are sometimes caused by patterns in human behaviors. However, it can be difficult to identify such patterns in a practical, yet accurate way. In order to fix security weaknesses, it is crucial to identify them. Useful systems to identify security weaknesses must be accurate enough to guide users’ decisions, but also be lightweight enough to produce results in a reasonable time frame. In<br>this thesis, we show how machine-learning techniques allow us to detect security weaknesses that result from patterns in human behavior faster and more efficiently<br>than current approaches, enabling new, practical run-time defenses. We present two applications to support this thesis. First, we use neural networks to identify users’ weak passwords and show how to make this approach practical for fully client-side password feedback. One problem<br>with current password feedback is that users can get either quick but often incorrect feedback by using heuristics or accurate but slow feedback by simulating adversarial<br>guessing. In contrast, we found that our approach to password guessing is both more accurate and more compact in implementation than previous ones, which enables us to more practically estimate resistance to password-guessing attacks in real time<br>on client machines. Second, we use deep learning models to identify client-side cross-site scripting<br>vulnerabilities in JavaScript code. We collected JavaScript functions from hundreds of thousands of web pages and using a taint-tracking-enabled browser labeled them<br>according to whether they were vulnerable to cross-site scripting. We trained deep neural networks to classify source code as safe or as potentially vulnerable. We<br>demonstrate how our models can be used as a lightweight building block to selectively enable other defenses, e.g., taint tracking. 2019-10-09 19:42:06 Cross-site scripting security