Security Analysis of Web and Embedded Applications
Licentiate thesis, 2020

As we put more trust in the computer systems we use the need for security
is increasing. And while security features like HTTPS are becoming
commonplace on the web, securing applications remains dicult. This thesis
focuses on analyzing dierent computer ecosystems to detect vulnerabilities
and develop countermeasures. This includesweb browsers,web applications,
and cyber-physical systems such as Android Automotive.
For web browsers, we analyze how new security features might solve a
problem but introduce new ones. We show this by performing a systematic
analysis of the new Content Security Policy (CSP) directive navigate-to.
In our research, we nd that it does introduce new vulnerabilities, to which
we recommend countermeasures. We also create AutoNav, a tool capable of
automatically suggesting navigation policies for this directive.
To improve the security of web applications, we develop a novel blackbox
method by combining the strengths of dierent black-box methods. We
implement this in our scanner Black Widow, which we compare with other
leading web application scanners. Black Widow both improves the coverage
of the web application and nds more vulnerabilities, including ones in
Prestashop, WordPress, and HotCRP.
For embedded systems,We analyze the new attack vectors introduced by
combining a phone OS with vehicle APIs and nd new attacks pertaining to
safety, privacy, and availability. Furthermore, we create AutoTame, which is
designed to analyze third-party apps for vehicles for the vulnerabilities we
found.

Web application scanning

Content Security Policy

Vulnerabilities

Android Automotive

8103
Opponent: Professor Adam Doupé, Arizona State University, USA.

Author

Benjamin Eriksson

Chalmers, Computer Science and Engineering (Chalmers), Information Security

AutoNav: Evaluation and Automatization of Web Navigation Policies

The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020,; (2020)p. 1320-1331

Paper in proceeding

On the road with third-party apps: Security analysis of an in-vehicle app platform

VEHITS 2019 - Proceedings of the 5th International Conference on Vehicle Technology and Intelligent Transport Systems,; (2019)p. 64-75

Paper in proceeding

Eriksson, B. Pellegrino, G. Sabelfeld, A - Black Widow: Blackbox Data-driven Web Scanning

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Subject Categories

Other Computer and Information Science

Embedded Systems

Computer Systems

Areas of Advance

Information and Communication Technology

Publisher

Chalmers University of Technology

8103

Online

Opponent: Professor Adam Doupé, Arizona State University, USA.

More information

Latest update

11/26/2021