Security Analysis of Web and Embedded Applications

Abstract: As we put more trust in the computer systems we use the need for security is increasing. And while security features like HTTPS are becoming commonplace on the web, securing applications remains dicult. This thesis focuses on analyzing dierent computer ecosystems to detect vulnerabilities and develop countermeasures. This includesweb browsers,web applications, and cyber-physical systems such as Android Automotive. For web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP) directive navigate-to. In our research, we nd that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. To improve the security of web applications, we develop a novel blackbox method by combining the strengths of dierent black-box methods. We implement this in our scanner Black Widow, which we compare with other leading web application scanners. Black Widow both improves the coverage of the web application and nds more vulnerabilities, including ones in Prestashop, WordPress, and HotCRP. For embedded systems,We analyze the new attack vectors introduced by combining a phone OS with vehicle APIs and nd new attacks pertaining to safety, privacy, and availability. Furthermore, we create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found.