Security Analysis of Web and Embedded Applications
is increasing. And while security features like HTTPS are becoming
commonplace on the web, securing applications remains dicult. This thesis
focuses on analyzing dierent computer ecosystems to detect vulnerabilities
and develop countermeasures. This includesweb browsers,web applications,
and cyber-physical systems such as Android Automotive.
For web browsers, we analyze how new security features might solve a
problem but introduce new ones. We show this by performing a systematic
analysis of the new Content Security Policy (CSP) directive navigate-to.
In our research, we nd that it does introduce new vulnerabilities, to which
we recommend countermeasures. We also create AutoNav, a tool capable of
automatically suggesting navigation policies for this directive.
To improve the security of web applications, we develop a novel blackbox
method by combining the strengths of dierent black-box methods. We
implement this in our scanner Black Widow, which we compare with other
leading web application scanners. Black Widow both improves the coverage
of the web application and nds more vulnerabilities, including ones in
Prestashop, WordPress, and HotCRP.
For embedded systems,We analyze the new attack vectors introduced by
combining a phone OS with vehicle APIs and nd new attacks pertaining to
safety, privacy, and availability. Furthermore, we create AutoTame, which is
designed to analyze third-party apps for vehicles for the vulnerabilities we
Content Security Policy
Web application scanning
Chalmers, Data- och informationsteknik, Informationssäkerhet
AutoNav: Evaluation and Automatization of Web Navigation Policies
The Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020,; (2020)p. 1320-1331
Paper i proceeding
On the road with third-party apps: Security analysis of an in-vehicle app platform
VEHITS 2019 - Proceedings of the 5th International Conference on Vehicle Technology and Intelligent Transport Systems,; (2019)p. 64-75
Paper i proceeding
Eriksson, B. Pellegrino, G. Sabelfeld, A - Black Widow: Blackbox Data-driven Web Scanning
WebSec: Säkerhet i webb-drivna system
Stiftelsen för Strategisk forskning (SSF), 2018-03-01 -- 2023-02-28.
Annan data- och informationsvetenskap
Informations- och kommunikationsteknik
Chalmers tekniska högskola
Opponent: Professor Adam Doupé, Arizona State University, USA.