Akash Agrawall

About

Abstract:

I am working under Dr. Venkatesh Choppella in the field of web security. We analyse the policy CORP (Cross Origin Request Policy)[ link], which mitigates cross-origin request attacks. We study a major attack, browser-based DDoS attack, and show that it can be mitigated using CORP.

Our next research work involves:
1. Modelling a Federated Identity Management (FIM) transaction and showing that CORP doesn't affect such complex cross-origin transaction.
2. Implementing CORP inside chromium and finding the overhead that CORP has in mitigating against cross-origin request attack.

Primary Challenges:

The primary challenge we think would be while implementing CORP in chromium. Chromium has a huge code base (approx 43.5 GB). Implementing CORP inside chromium will be one of the major challenges.

Major Contributions:

We find one of the biggest applications of CORP, i.e. mitigating browser-based DDoS attack. We will verify the robustness of CORP using formal modelling (alloy language). We will implement CORP in browser directly and find its overhead in mitigating the attack.

Initial results:

We have shown that CORP can mitigate a browser-based DDoS attacks within one second thereby allowing the server to serve user requests.
Paper accepted in ISEC'17 (Link): Title: Mitigating Browser-based DDoS Attacks using CORP Authors: Akash Agrawall, Krishna Chaitanya Telikicherla, Arnav Kumar Agrawal and Venkatesh Choppella


Publications

Conference and Workshop

  • Akash Agrawall, Krishna Chaitanya, Arnav Kumar Agrawal, Venkatesh Choppella: Mitigating Browser-based DDoS Attacks using CORP. ISEC 2017: 137-146
  • Krishna Chaitanya Telikicherla, Akash Agrawall, Venkatesh Choppella: A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP. ICISSP 2017: 516-523
  • Akash Agrawall, Shubh Maheshwari, Projit Bandyopadhyay, Venkatesh Choppella: Modelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request Policy. ICISS 2017: 263-282