Empower - The Campaign for Northeastern University


Cybersecurity Speaker Series: Understanding and Mitigating Web Attacks Targeting Modern Browsers

Defender: Ahmet Salih Buyukkayhan, PhD Student at Northeastern UniversityDate: Tuesday, 30 October 2018Time: 4:00pm - 5:00pmLocation: 138 ISEC, 805 Columbus Avenue, Boston MA, 02120Title: Understanding and Mitigating Web Attacks Targeting Modern BrowsersAbstractNowadays, web browsers are installed on almost all computers and mobile devices. Because of their popularity, privileges, and capabilities, web browsers have become an attractive target for attackers. Although it is more difficult to find a vulnerability in browser code, browser extensions and web applications present an ample supply of security vulnerabilities and opportunities for attackers. Therefore, I propose research into browser extension security and Cross-Site Scripting flaw which allows an attacker to execute malicious code inside the web browser. The aim of this research is to identify the weaknesses of web browsers by understanding the inner workings of existing attacks, raise the awareness by demonstrating potential novel attacks, and propose countermeasures and practical defenses to protect web users.In the first part, we investigate the several plausible attacks using a malicious extension such as remote code execution, phishing, and browser window clickjacking. Then, we introduce a novel defense which is a policy enforcer that provides fine-grained control to the user over the actions of legacy Firefox extensions.In the second part, we first identify an extension-reuse vulnerability that allows adversaries to launch stealthy attacks by reusing security sensitive functionality from innocuous legitimate extensions. We then present CrossFire, a lightweight static analyzer for legacy Firefox extensions to automatically discover instances of extension-reuse vulnerabilities, generate exploits that confirm the presence of vulnerabilities, and output exploit templates to assist users of the tool in rapidly constructing proof-of-concept exploits.In the third part, we conduct a longitudinal study of 134K reflected Cross-Site Scripting exploits submitted by independent security researchers spanning a period of nearly ten years. In order to detect the exploitation techniques used, we combine the static and dynamic techniques and execute the attacks in a sandbox environment.About the SpeakerAhmet Salih Buyukkayhan is a PhD student at Northeastern University. His research interests revolve around several topics in systems security with a focus on web security.CommitteeEngin Kirda, Northeastern University (advisor)William Robertson, Northeastern University (co-advisor)Alina Oprea, Northeastern UniversityGianluca Stringhini, Boston University (external)

Tuesday, October 30, 2018 at 4:00pm



Google Calendar iCal Outlook

Recent Activity