Securing the Next Generation Web
Doctoral thesis, 2022
With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.
To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP) directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to further improve the coverage and vulnerability detection rate of scanners.
In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions solely based on the meta-data of downloads over time.
We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found.
To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP) directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to further improve the coverage and vulnerability detection rate of scanners.
In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions solely based on the meta-data of downloads over time.
We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found.
Browser extensions
Input validation
Web Application Security
Content Security Policy
Vulnerabilities
Android Automotive
Web application scanning
Scaniasalen
Opponent: Associate Professor Adam Doupé, Arizona State University.
Author
Benjamin Eriksson
Chalmers, Computer Science and Engineering (Chalmers), Information Security
AutoNav: Evaluation and Automatization of Web Navigation Policies
The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020,;(2020)p. 1320-1331
Paper in proceeding
Black widow: Blackbox data-driven web scanning
Proceedings - IEEE Symposium on Security and Privacy,;Vol. 2021-May(2021)p. 1125-1142
Paper in proceeding
Benjamin Eriksson, Amanda Stjerna, Riccardo De Masellis, Philipp Ruem- mer, Andrei Sabelfeld. Black Ostrich: Web Application Scanning with String Solvers
Hardening the security analysis of browser extensions
Proceedings of the ACM Symposium on Applied Computing,;(2022)p. 1694-1703
Paper in proceeding
No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns
ACM International Conference Proceeding Series,;(2022)p. 896-910
Paper in proceeding
On the road with third-party apps: Security analysis of an in-vehicle app platform
VEHITS 2019 - Proceedings of the 5th International Conference on Vehicle Technology and Intelligent Transport Systems,;(2019)p. 64-75
Paper in proceeding
Our modern society depends on efficient and secure online services. Whether it is for banking,
medical journals, talking with friends on social media, or online entertainment, security is crucial.
We regularly hear news about websites being “hacked” and data being leaked. These problems stem
from security bugs in the web applications we rely on. Insecure web applications not only put the
companies at risk of losing revenue but also risks users’ private data being sold or made public. In
addition to web applications, our browsers and their extensions, which we use to interact with these
applications can also serve as an avenue for attackers to steal users’ data.
Security bugs, or vulnerabilities, comes in many shapes and sizes. They can range from sending
data without using encryption to more complex bugs where attackers can gain full control over the
web application by injecting their code. Even in cases where great care is put into securing
applications, subtle vulnerabilities might still be missed. Sometimes, complex workflows and chains
of actions are required to find a problem. For example, a social media user might need to join a
group, then post a photo, before they can find the vulnerability in the photo’s comment section.
Similarly in web browsers, new security mechanisms are constantly being proposed. However,
while these might fix one problem they can introduce new ones unless the entire ecosystem is
considered. Finally, the extensions we allow in our browsers possess great capabilities to read and
manipulate user data. As such, thorough security vetting is required both to detect vulnerabilities
and maliciousness.
This thesis focus on improving web security by developing novel and efficient methods for
detecting security vulnerabilities in web applications, as well as browsers and their extensions.
Vulnerability detection in web applications is improved by unifying previous orthogonal methods in
a non-trivial way. Furthermore, by incorporating and improving on works in mathematical logic
practical challenges in web application scanning can be solved. Security problems of browser
extensions are tackled by a systematic analysis of the extension ecosystem. This resulted in new
code analysis methods that can find previously undetected malicious extensions. Additionally, novel
meta-data analysis methods are developed for finding malicious extensions without the need for the
extension’s code. Finally, by extending the methods to embedded systems, malicious apps in
infotainment systems for vehicles can also be detected.
medical journals, talking with friends on social media, or online entertainment, security is crucial.
We regularly hear news about websites being “hacked” and data being leaked. These problems stem
from security bugs in the web applications we rely on. Insecure web applications not only put the
companies at risk of losing revenue but also risks users’ private data being sold or made public. In
addition to web applications, our browsers and their extensions, which we use to interact with these
applications can also serve as an avenue for attackers to steal users’ data.
Security bugs, or vulnerabilities, comes in many shapes and sizes. They can range from sending
data without using encryption to more complex bugs where attackers can gain full control over the
web application by injecting their code. Even in cases where great care is put into securing
applications, subtle vulnerabilities might still be missed. Sometimes, complex workflows and chains
of actions are required to find a problem. For example, a social media user might need to join a
group, then post a photo, before they can find the vulnerability in the photo’s comment section.
Similarly in web browsers, new security mechanisms are constantly being proposed. However,
while these might fix one problem they can introduce new ones unless the entire ecosystem is
considered. Finally, the extensions we allow in our browsers possess great capabilities to read and
manipulate user data. As such, thorough security vetting is required both to detect vulnerabilities
and maliciousness.
This thesis focus on improving web security by developing novel and efficient methods for
detecting security vulnerabilities in web applications, as well as browsers and their extensions.
Vulnerability detection in web applications is improved by unifying previous orthogonal methods in
a non-trivial way. Furthermore, by incorporating and improving on works in mathematical logic
practical challenges in web application scanning can be solved. Security problems of browser
extensions are tackled by a systematic analysis of the extension ecosystem. This resulted in new
code analysis methods that can find previously undetected malicious extensions. Additionally, novel
meta-data analysis methods are developed for finding malicious extensions without the need for the
extension’s code. Finally, by extending the methods to embedded systems, malicious apps in
infotainment systems for vehicles can also be detected.
WebSec: Securing Web-driven Systems
Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.
Areas of Advance
Information and Communication Technology
Subject Categories
Computer and Information Science
ISBN
978-91-7905-680-3
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5146
Publisher
Chalmers
Scaniasalen
Opponent: Associate Professor Adam Doupé, Arizona State University.