TWC: Small: Emerging Attacks Against the Mobile Web and Novel Proxy Technologies for Their Containment

TWC：小型：针对移动网络的新兴攻击和新型代理技术的遏制

• 批准号: 1617593
• 负责人: Nick Nikiforakis
• 金额: $ 49.95万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1617593&HistoricalAwards=false
• 关键词: TWC; Small; Emerging; Attacks; Against

Users entrust their mobile devices with sensitive data, including business emails, as well as health and financial information. Thus, mobile devices have become an increasingly popular target for attackers. Mobile devices house powerful browsers that are vulnerable to at least as many attacks as their desktop counterparts. Yet, the security of these mobile browsers is understudied by researchers, leading to a lack of current information about ongoing attacks and possible defenses. This project is gathering up-to-date information about potential attacks against mobile browsers, and developing defense systems that can safeguard a user while taking into account the intricacies of the mobile platform. To help researchers better understand and prioritize protections for potential attacks against mobile browsers, the project is first developing an attack taxonomy that includes information about cornerstone vulnerabilities on which current and future attack vectors can rely. Second, the project is developing an automated vulnerability assessment framework to assist analysts in identifying which browsers are vulnerable to which attacks. Finally, the project is developing a protection proxy to allow cloud-based analysis of traffic to the resource-constrained mobile device, while avoiding proxying of privacy-sensitive activities. The information gained through this project will inform the research community of the vulnerabilities of the mobile web platform and help to prioritize future research efforts toward developing the most effective and performant defenses.

用户将敏感数据委托给他们的移动的设备，包括商业电子邮件以及健康和财务信息。因此，移动的设备已经成为攻击者越来越流行的目标。移动的设备包含功能强大的浏览器，这些浏览器容易受到至少与桌面设备一样多的攻击。然而，研究人员对这些移动的浏览器的安全性研究不足，导致缺乏有关正在进行的攻击和可能的防御的最新信息。该项目正在收集有关针对移动的浏览器的潜在攻击的最新信息，并开发可以保护用户的防御系统，同时考虑到移动的平台的复杂性。为了帮助研究人员更好地理解和优先考虑对移动的浏览器的潜在攻击的保护，该项目首先开发了一个攻击分类，其中包括当前和未来攻击媒介可以依赖的基础漏洞的信息。第二，该项目正在开发一个自动漏洞评估框架，以帮助分析人员确定哪些浏览器容易受到哪些攻击。最后，该项目正在开发一个保护代理，以允许对资源受限的移动终端的流量进行基于云的分析，同时避免对隐私敏感活动的干扰。通过该项目获得的信息将告知研究界移动的Web平台的漏洞，并有助于优先考虑未来的研究工作，以开发最有效和性能最好的防御。

项目成果

Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

• DOI: 10.14722/ndss.2019.23149
• 发表时间: 2019
• 期刊: Proceedings 2019 Network and Distributed System Security Symposium
• 作者: Meng Luo;Pierre Laperdrix;N. Honarmand;Nick Nikiforakis

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat

不必要的可识别：量化由于膨胀而导致的浏览器扩展的指纹识别能力

• 发表时间: 2019
• 期刊: Proceedings of the Web Conference (WWW
• 作者: Starov, Oleksii;Laperdrix, Pierre;Kapravelos, Alexandros;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

Now You See It, Now You Don't: A Large-scale Analysis of Early Domain Deletions

现在你看到了，现在你没有：对早期域删除的大规模分析

• 发表时间: 2019
• 期刊: Intrusions and Defenses (RAID
• 作者: Barron, Timothy;Miramirkhani, Najmeh;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting

浏览器的 Morellian 分析：通过 Canvas 指纹识别增强 Web 身份验证

• 发表时间: 2019
• 期刊: Proceedings of the 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA
• 作者: Laperdrix, Pierre;Avoine, Gildas;Baudry, Benoit;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

Purchased Fame: Exploring the Ecosystem of Private Blog Networks

• DOI: 10.1145/3321705.3329830
• 发表时间: 2019-07
• 期刊: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
• 作者: Tom van Goethem;N. Miramirkhani;W. Joosen;Nick Nikiforakis