Securing the Next Generation Web

Author: Benjamin Eriksson; Chalmers University Of Technology; []

Keywords: Android Automotive; Web application scanning; Web Application Security; Vulnerabilities; Content Security Policy; Input validation; Browser extensions;

Abstract: With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult. To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)  directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where  there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We  accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to  further improve the coverage and vulnerability detection rate of scanners. In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password  managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new  static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions  solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This  is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we  create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found.

  CLICK HERE TO DOWNLOAD THE WHOLE DISSERTATION. (in PDF format)