Language-Based Security and Privacy in Web-driven Systems
Doctoral thesis, 2024
Modular programming is a core principle in software development, which demands reducing design complexity through independent code modules. A prime example of modular programming is systems offering various services and applications accessible through the web. Their complex nature, heavy dependence on third-party modules, and large user base call for principled approaches to user security and privacy.
This thesis focuses on securing web-driven systems, practically targeting Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish applications that enhance digital lives through smart automation and personalized web browsing, respectively.
Our approach to software security and privacy is through the lens of programming-language techniques. We identify vulnerabilities in popular TAP applications and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured applications, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation.
Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We identify privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We develop a static analysis framework to track flows from user-sensitive data to network requests in browser extensions. Moreover, we revisit information-flow policies that are not necessarily transitive, supporting coarse-grained policies where security labels are specified at the level of modules. We leverage flow-sensitive type systems to enforce granular security in module-based systems.
This thesis focuses on securing web-driven systems, practically targeting Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish applications that enhance digital lives through smart automation and personalized web browsing, respectively.
Our approach to software security and privacy is through the lens of programming-language techniques. We identify vulnerabilities in popular TAP applications and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured applications, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation.
Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We identify privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We develop a static analysis framework to track flows from user-sensitive data to network requests in browser extensions. Moreover, we revisit information-flow policies that are not necessarily transitive, supporting coarse-grained policies where security labels are specified at the level of modules. We leverage flow-sensitive type systems to enforce granular security in module-based systems.
Information-flow control
Sandboxing
Modular programming
Trigger-action platforms
Browser extensions
Data minimization
Language-based security and privacy
HB1, Hörsalar HB, Hörsalsvägen 8, Chalmers
Opponent: Deian Stefan, University of California San Diego, USA
Author
Seyed Mohammad Mehdi Ahmadpanah
Chalmers, Computer Science and Engineering (Chalmers), Information Security
SandTrap: Securing JavaScript-driven Trigger-Action Platforms
Proceedings of the 30th USENIX Security Symposium,;(2021)p. 2899-2916
Paper in proceeding
Securing Node-RED Applications
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 13066 LNCS(2021)p. 1-21
Book chapter
LazyTAP: On-Demand Data Minimization for Trigger-Action Applications
Proceedings - IEEE Symposium on Security and Privacy,;Vol. 2023-May(2023)p. 3079-3097
Paper in proceeding
CodeX: A Framework for Tracking Flows in Browser Extensions
Nontransitive Policies Transpiled
Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021,;(2021)p. 543-561
Paper in proceeding
Did you know that your web browsing history can reveal details about your location, healthcare concerns, and political views? Did you know that an email automation application designed to assist you might secretly forward copies of all your sent emails to someone else? Applications on the web significantly improve our digital lives but unfortunately sometimes at the cost of compromising our private information!
This thesis studies popular platforms for smart automation and web browsing to demonstrate possible scenarios where you should be careful about the applications you trust daily. We propose principled approaches to verify that smart automation applications behave as intended and do not access any information beyond your given consent. In addition, we analyze extensions you can install on your favorite browser to track their processing of sensitive information, like browsing history, and detect any that might violate your privacy by sending such information over the network.
In this thesis, we offer a set of solutions, from sandboxing and data minimization to flow tracking and static analysis, to secure applications in IoT platforms and browser extensions at the language level. The presented tools, developed based on concepts from programming languages and sometimes with mathematical guarantees, aid platform owners in application vetting and help users gain a more clear understanding of their security and privacy.
This thesis studies popular platforms for smart automation and web browsing to demonstrate possible scenarios where you should be careful about the applications you trust daily. We propose principled approaches to verify that smart automation applications behave as intended and do not access any information beyond your given consent. In addition, we analyze extensions you can install on your favorite browser to track their processing of sensitive information, like browsing history, and detect any that might violate your privacy by sending such information over the network.
In this thesis, we offer a set of solutions, from sandboxing and data minimization to flow tracking and static analysis, to secure applications in IoT platforms and browser extensions at the language level. The presented tools, developed based on concepts from programming languages and sometimes with mathematical guarantees, aid platform owners in application vetting and help users gain a more clear understanding of their security and privacy.
WebSec: Securing Web-driven Systems
Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.
Areas of Advance
Information and Communication Technology
Subject Categories
Computer Science
ISBN
978-91-8103-080-8
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5538
Publisher
Chalmers
HB1, Hörsalar HB, Hörsalsvägen 8, Chalmers
Opponent: Deian Stefan, University of California San Diego, USA