CAREER: Tools and Techniques for Preserving Integrity on the Web

职业：维护网络完整性的工具和技术

• 批准号: 1941617
• 负责人: Nick Nikiforakis
• 金额: $ 55.11万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1941617&HistoricalAwards=false
• 关键词: CAREER; Tools; Techniques; Preserving; Integrity

The web, the Internet's most successful and recognizable application, has become part of peoples' daily lives and is relied upon by billions of users for news, entertainment, communications, and work. This reliance is constantly taken advantage of by attackers who appear to have an inexhaustible collection of diverse attacks targeting popular web services and end users. This project views a large number of seemingly unrelated attacks as mere instances of the problem of integrity violation. Due to the absence of integrity checks and guarantees, web applications have no way of gauging whether the content that their users will receive today when clicking on a remote link or loading a remote resource, is the same content that they linked to in the past. This project focuses on better understanding this issue of content integrity on the web, gathering data about how attackers abuse it, and developing defenses against integrity violations.The project proposes to design, implement, and evaluate tools and techniques for preserving integrity on the web by enabling web developers to discover the remote resources on which their web applications rely and make explicit statements about these resources through new policy systems. Next to developer-authored policies, this project will use anomaly detection to automatically discover when remote resources behave in an uncharacteristic fashion by extracting attributes and combining them in integrity signatures. To quantify how popular web applications depend on remote resources and to evaluate how different types of websites would react to different policies, the project includes the longitudinal collection of linking data and the use of this data to simulate the effects of the proposed systems. Finally, the project proposes collaborative, client-server resource-integrity schemes to further protect web users and strengthen the security of existing services. The outcomes of this research effort are expected to improve the research community's understanding of content integrity on the web and to achieve substantial practical impact in protecting websites and users against integrity-violating attacks on the web.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络是互联网最成功和最知名的应用，已经成为人们日常生活的一部分，数十亿用户依赖于它来获取新闻、娱乐、通信和工作。这种依赖性不断被攻击者利用，他们似乎拥有针对流行Web服务和最终用户的各种攻击的无穷无尽的集合。该项目将大量看似无关的攻击视为违反完整性问题的实例。由于缺乏完整性检查和保证，Web应用程序无法衡量用户在点击远程链接或加载远程资源时今天将收到的内容是否与他们过去链接的内容相同。该项目的重点是更好地了解网络上的内容完整性问题，收集有关攻击者如何滥用它的数据，并开发针对完整性侵犯的防御措施。该项目建议设计，实施，并评估通过使Web开发人员能够发现其Web应用程序所依赖的远程资源并通过新的政策体系除了开发人员编写的策略之外，该项目还将使用异常检测，通过提取属性并将其组合到完整性签名中，自动发现远程资源何时以不典型的方式运行。为了量化流行的网络应用程序对远程资源的依赖程度，并评估不同类型的网站对不同政策的反应，该项目包括纵向收集链接数据，并使用这些数据来模拟拟议系统的效果。最后，该项目提出了协作，客户端-服务器资源完整性计划，以进一步保护Web用户和加强现有服务的安全性。这项研究工作的成果有望提高研究界对网络内容完整性的理解，并在保护网站和用户免受网络上违反完整性的攻击方面产生实质性的实际影响。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的智力价值和更广泛的影响审查标准进行评估来支持。

项目成果

Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors

航行浑水：用于发现跟踪向量的自动浏览器功能测试

• DOI: 10.14722/ndss.2023.24072
• 发表时间: 2023
• 期刊: Network and Distributed System Security (NDSS
• 作者: Ali, Mir Masood;Chitale, Binoy;Ghasemisharif, Mohammad;Kanich, Chris;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

Click This, Not That: Extending Web Authentication with Deception

点击这个，而不是那个：通过欺骗扩展 Web 身份验证

• DOI: 10.1145/3433210.3453088
• 发表时间: 2021
• 期刊: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (ASIACCS
• 作者: Barron, Timothy;So, Johnny;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

To Err.Is Human: Characterizing the Threat of Unintended URLs in Social Media

• DOI: 10.14722/ndss.2021.24322
• 发表时间: 2021
• 期刊: Proceedings 2021 Network and Distributed System Security Symposium
• 作者: Beliz Kaleli;Brian Kondracki;Manuel Egele;Nick Nikiforakis;G. Stringhini

Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications

逃离时间的限制：通过短暂修改进行连续浏览器扩展指纹识别

• DOI: 10.1145/3548606.3560576
• 发表时间: 2022
• 期刊: ACM SIGSAC Conference on Computer and Communications Security (CCS
• 作者: Solomos, Konstantinos;Ilia, Panagiotis;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

The More Things Change, the More They Stay the Same: Integrity of Modern JavaScript

事物变化越多，它们就越保持不变：现代 JavaScript 的完整性

• DOI: 10.1145/3543507.3583395
• 发表时间: 2023
• 期刊: Proceedings of the ACM Web Conference (WWW
• 作者: So, Johnny;Ferdman, Michael;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick