Security Analysis of Web and Embedded Applications

Licentiatavhandling, 2020

As we put more trust in the computer systems we use the need for security
is increasing. And while security features like HTTPS are becoming
commonplace on the web, securing applications remains dicult. This thesis
focuses on analyzing dierent computer ecosystems to detect vulnerabilities
and develop countermeasures. This includesweb browsers,web applications,
and cyber-physical systems such as Android Automotive.
For web browsers, we analyze how new security features might solve a
problem but introduce new ones. We show this by performing a systematic
analysis of the new Content Security Policy (CSP) directive navigate-to.
In our research, we nd that it does introduce new vulnerabilities, to which
we recommend countermeasures. We also create AutoNav, a tool capable of
automatically suggesting navigation policies for this directive.
To improve the security of web applications, we develop a novel blackbox
method by combining the strengths of dierent black-box methods. We
implement this in our scanner Black Widow, which we compare with other
leading web application scanners. Black Widow both improves the coverage
of the web application and nds more vulnerabilities, including ones in
Prestashop, WordPress, and HotCRP.
For embedded systems,We analyze the new attack vectors introduced by
combining a phone OS with vehicle APIs and nd new attacks pertaining to
safety, privacy, and availability. Furthermore, we create AutoTame, which is
designed to analyze third-party apps for vehicles for the vulnerabilities we
found.