PhD Thesis Proposal: Hardening Client-Side Applications in the Presence of Security Vulnerabilities
Title: Hardening Client-Side Applications in the Presence of Security Vulnerabilities
Speaker: Michael Weissbacher, PhD Candidate, College of Computer and Information Science at Northeastern University
Location: Northeastern University, 815 Columbus Avenue, Interdisciplinary Science and Engineering Complex, Room 632, Boston, Massachusetts 02115
Modern Web applications are increasingly moving program logic to the client-side. With the growing adoption of HTML5 APIs, vulnerabilities are consequently becoming increasingly important to address. However, while detecting and preventing attacks against Web applications is a well-studied topic on the server, considerably less work has been performed for the client.
An early example of a client-side exploit was the 2005 MySpace worm, it spread a million times within 20 hours. While Web applications nowadays are generally more secure than MySpace at the time, software vulnerabilities are still common. Ideally, software would be free of vulnerabilities, however, this currently seems an elusive goal.
Nowadays, behavior similar to the MySpace worm would have more far-reaching impact as client-side Web applications are more popular.
With built-in resilience, exploitation of such vulnerabilities can be prevented, even for vulnerable code. An example of such a technology is Content Security Policy (CSP), it allows to restrain actions of a website by sending descriptive restrictions on a secure channel, before the site is rendered. Although the client-side application is allowed to stay vulnerable, a layer of resilience can prevent exploitation.
For my thesis I propose novel research into hardening of client-side Web applications in the presence of security vulnerabilities. In particular I will address two fields of interest, CSP, and history leaks in browser extensions. In the first part of my thesis, I show that CSP, a promising technology for resilience in Web applications, is used on a low number of websites and rarely used to it's full potential. I performed a long-term measurement, and further determine challenges in deployments that prevent wide adoption. Next, I outline feasibility of semi-automated policy generation, both from the perspective of a website operator, or an external third party. Finally I explore barriers to suggest improvements that could help ease CSP adoption.
In the second part, I investigate methods of detection for history-leaking browser extensions. I show that established security measures by browser extensions are insufficient to prevent such attacks, as extensions can leak history even with modest permissions. I introduce a novel method of detecting such leaks, with a prototype implementation for Chrome extensions, Ex-Ray. Using my method for pre-screening of extension before store admission, browsers can be made more resilient to such attacks.
For the third part, I plan to develop methods of analyzing client-side Web penetration testing tools. Unlike server-side penetration testing tools, this area has not yet been researched enough. This part of my thesis is ongoing work and I plan to finish it before defending.
About the Speaker
Michael Weissbacher is a PhD student in the Information Assurance program at Northeastern University’s College of Computer and Information Science, advised by Professor Engin Kirda. A native of Vienna, Austria, Michael earned both his bachelor’s and master’s degrees from the Technical University of Vienna. Michael’s field of study is systems security.
Engin Kirda, Northeastern University (advisor)
William Robertson, Northeastern University
Long Lu, Northeastern University
Nick Nikiforakis, Stony Brook University
Tuesday, November 7, 2017 at 4:00pm