Security Analysis of Web and Embedded Applications
Licentiatavhandling, 2020

As we put more trust in the computer systems we use the need for security
is increasing. And while security features like HTTPS are becoming
commonplace on the web, securing applications remains dicult. This thesis
focuses on analyzing dierent computer ecosystems to detect vulnerabilities
and develop countermeasures. This includesweb browsers,web applications,
and cyber-physical systems such as Android Automotive.
For web browsers, we analyze how new security features might solve a
problem but introduce new ones. We show this by performing a systematic
analysis of the new Content Security Policy (CSP) directive navigate-to.
In our research, we nd that it does introduce new vulnerabilities, to which
we recommend countermeasures. We also create AutoNav, a tool capable of
automatically suggesting navigation policies for this directive.
To improve the security of web applications, we develop a novel blackbox
method by combining the strengths of dierent black-box methods. We
implement this in our scanner Black Widow, which we compare with other
leading web application scanners. Black Widow both improves the coverage
of the web application and nds more vulnerabilities, including ones in
Prestashop, WordPress, and HotCRP.
For embedded systems,We analyze the new attack vectors introduced by
combining a phone OS with vehicle APIs and nd new attacks pertaining to
safety, privacy, and availability. Furthermore, we create AutoTame, which is
designed to analyze third-party apps for vehicles for the vulnerabilities we
found.

Content Security Policy

Android Automotive

Vulnerabilities

Web application scanning

8103
Opponent: Professor Adam Doupé, Arizona State University, USA.

Författare

Benjamin Eriksson

Chalmers, Data- och informationsteknik, Informationssäkerhet

AutoNav: Evaluation and Automatization of Web Navigation Policies

The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020,; (2020)p. 1320-1331

Paper i proceeding

On the road with third-party apps: Security analysis of an in-vehicle app platform

VEHITS 2019 - Proceedings of the 5th International Conference on Vehicle Technology and Intelligent Transport Systems,; (2019)p. 64-75

Paper i proceeding

Eriksson, B. Pellegrino, G. Sabelfeld, A - Black Widow: Blackbox Data-driven Web Scanning

WebSec: Säkerhet i webb-drivna system

Stiftelsen för Strategisk forskning (SSF), 2018-03-01 -- 2023-02-28.

Ämneskategorier

Annan data- och informationsvetenskap

Inbäddad systemteknik

Datorsystem

Styrkeområden

Informations- och kommunikationsteknik

Utgivare

Chalmers tekniska högskola

8103

Online

Opponent: Professor Adam Doupé, Arizona State University, USA.

Mer information

Senast uppdaterat

2020-09-18