Language-Based Security and Privacy in Web-driven Systems
Doctoral thesis, 2024

Modular programming is a core principle in software development, which demands reducing design complexity through independent code modules. A prime example of modular programming is systems offering various services and applications accessible through the web. Their complex nature, heavy dependence on third-party modules, and large user base call for principled approaches to user security and privacy.
This thesis focuses on securing web-driven systems, practically targeting Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish applications that enhance digital lives through smart automation and personalized web browsing, respectively.
Our approach to software security and privacy is through the lens of programming-language techniques. We identify vulnerabilities in popular TAP applications and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured applications, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation.
Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We identify privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We develop a static analysis framework to track flows from user-sensitive data to network requests in browser extensions. Moreover, we revisit information-flow policies that are not necessarily transitive, supporting coarse-grained policies where security labels are specified at the level of modules. We leverage flow-sensitive type systems to enforce granular security in module-based systems.

Information-flow control

Sandboxing

Modular programming

Trigger-action platforms

Browser extensions

Data minimization

Language-based security and privacy

HB1, Hörsalar HB, Hörsalsvägen 8, Chalmers
Opponent: Deian Stefan, University of California San Diego, USA

Author

Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Computer Science and Engineering (Chalmers), Information Security

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Proceedings of the 30th USENIX Security Symposium,;(2021)p. 2899-2916

Paper in proceeding

Securing Node-RED Applications

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 13066 LNCS(2021)p. 1-21

Book chapter

LazyTAP: On-Demand Data Minimization for Trigger-Action Applications

Proceedings - IEEE Symposium on Security and Privacy,;Vol. 2023-May(2023)p. 3079-3097

Paper in proceeding

CodeX: A Framework for Tracking Flows in Browser Extensions

Nontransitive Policies Transpiled

Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021,;(2021)p. 543-561

Paper in proceeding

Did you know that your web browsing history can reveal details about your location, healthcare concerns, and political views? Did you know that an email automation application designed to assist you might secretly forward copies of all your sent emails to someone else? Applications on the web significantly improve our digital lives but unfortunately sometimes at the cost of compromising our private information!
This thesis studies popular platforms for smart automation and web browsing to demonstrate possible scenarios where you should be careful about the applications you trust daily. We propose principled approaches to verify that smart automation applications behave as intended and do not access any information beyond your given consent. In addition, we analyze extensions you can install on your favorite browser to track their processing of sensitive information, like browsing history, and detect any that might violate your privacy by sending such information over the network.
In this thesis, we offer a set of solutions, from sandboxing and data minimization to flow tracking and static analysis, to secure applications in IoT platforms and browser extensions at the language level. The presented tools, developed based on concepts from programming languages and sometimes with mathematical guarantees, aid platform owners in application vetting and help users gain a more clear understanding of their security and privacy.

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Areas of Advance

Information and Communication Technology

Subject Categories (SSIF 2011)

Computer Science

ISBN

978-91-8103-080-8

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5538

Publisher

Chalmers

HB1, Hörsalar HB, Hörsalsvägen 8, Chalmers

Online

Opponent: Deian Stefan, University of California San Diego, USA

More information

Latest update

8/9/2024 3