Computer Science Colloquia
Wednesday, May 15, 2013
Advisor: Dave Evans
Attending Faculty: Joanne Bechta Dugan (Chair), Westley Weimer, Kevin Sullivan, Ron Williams and Shuo Chen.
2:00 PM, Rice Hall, Rm. 242
PhD Proposal Presentation
Improving security and privacy of integrated applications using behavior-based approaches
Modern applications integrate third-party services for easier development, additional functionality such as analytics services, and extra revenue including advertising networks. This integration, however, presents risks to application security and user privacy. This research addresses integrated applications that incorporate two types of third-party services: (1) services from trusted providers that provide security-critical functionalities to the application such as Single Sign-On (SSO) and file sharing services, and (2) services from untrusted providers that provide other functionalities such as analytics and advertisements. Unlike traditional library inclusions, integrated applications present new challenges due to the opaqueness of third-party back end service and platform runtime.
For the first type of integration, we assume a benign service provider and our goal is to eliminate misunderstandings between the service provider and the application developer which may lead to security vulnerabilities in the implementation. We advocate for a systematic approach to discover implicit assumptions and SDK bugs that uses an iterative process to refine system models and uncover needed assumptions. Our preliminary results for SSO systems have shown significant opportunity and impact --- of the 55 popular applications we've tested, more than half had serious security vulnerabilities due to missing at least one security-critical assumption uncovered by our approach. We propose to develop an automated vulnerability checker that can be deployed in an application marketplace or as a stand-alone service. This testing framework can drive the application automatically and check if a given application is vulnerable based on observed behaviors. We plan to evaluate its effectiveness by checking a large number of popular web and mobile applications.
For the second type of integration, the embedding application does not rely on a third-party service for security-critical functionality, but wants to prevent harm to the application and its users from embedded services that may be malicious. Integrated services often execute as the same principal as the host application code and therefore have full access to application and user data. We aim to prevent third-party services from exfiltrating sensitive data or maliciously tampering with the host content, and we propose two client-side techniques towards achieving this goal. Our first approach is to use a modified browser that mediates third-party services' access to host content. This defense relies on a per-page security policy and we propose an automated policy generator to help website administrators generate such policies. To avoid relying on security policies and also extend protection to a wider range of third-party services, we propose another client-side browser modification that intercepts and compares network requests between the real page and an artificial projection page to defend against private information exfiltration.