Collaborative Research: SaTC: CORE: Medium: App-driven Web Browsing: Novel Risks, Vulnerabilities, and Defenses

协作研究：SaTC：核心：中：应用程序驱动的网络浏览：新的风险、漏洞和防御

• 批准号: 2211574
• 负责人: Jason Polakis
• 金额: $ 50万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2026-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2211574&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

The modern web ecosystem is comprised of a multitude of non-browser applications that, while having the same ability to process and render web content, are developed with different technologies and exhibit different capabilities. In this new browsing paradigm, app developers are responsible for configuring and implementing security features that are already standardized in traditional browsers. The option to deviate from well-known defaults has the potential of opening their software to misconfigurations and ultimately exposing users to significant security risks. This project focuses on providing a holistic and in-depth analysis of the features, functionality, and capabilities of modern non-browser apps that allow web browsing. The project’s novel contributions include the design and development of diverse techniques and systems for uncovering the inherent security flaws in the different technologies that power these apps. The project's broader significance and importance lie in the critical positioning of these web and mobile apps within the greater web ecosystem, and the necessity of more robust flaw detection and prevention capabilities. This project explores, measures, and addresses the security flaws that are inherent to the technologies used for developing apps that enable web browsing. This requires implementing novel static and dynamic code and app analysis techniques for detecting security issues that enable a wide range of attacks, from incorrect origin-isolation enforcement to remote code injection and execution. Moreover, the project includes the development of observatories to understand whether these browsing apps are becoming more secure over time and identify new vulnerabilities, in a data-driven fashion. The outcomes of this research strengthen the research community's understanding of the risks of app-driven browsing and provide solutions that improve the security hygiene of the app ecosystem, while being widely disseminated through academic publications, curriculum integration, industry conferences, and media articles.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代网络生态系统由大量的非浏览器应用程序组成，这些应用程序虽然具有处理和呈现网络内容的相同能力，但它们是用不同的技术开发的，表现出不同的功能。在这种新的浏览模式中，应用程序开发人员负责配置和实现传统浏览器中已经标准化的安全特性。如果选择偏离众所周知的默认值，就有可能导致软件配置错误，并最终使用户面临重大的安全风险。这个项目的重点是对现代非浏览器应用程序的特性、功能和能力进行全面深入的分析，这些应用程序允许网页浏览。该项目的新贡献包括设计和开发各种技术和系统，以发现驱动这些应用程序的不同技术中固有的安全漏洞。该项目更广泛的意义和重要性在于这些web和移动应用程序在更大的web生态系统中的关键定位，以及更强大的缺陷检测和预防能力的必要性。该项目探索、测量和解决用于开发web浏览应用程序的技术固有的安全漏洞。这需要实现新颖的静态和动态代码和应用程序分析技术，以检测安全问题，这些安全问题可能会导致广泛的攻击，从错误的来源隔离强制执行到远程代码注入和执行。此外，该项目还包括开发观察站，以了解这些浏览应用程序是否随着时间的推移变得更加安全，并以数据驱动的方式识别新的漏洞。本研究的结果加强了研究界对应用驱动浏览风险的理解，并提供了改善应用生态系统安全卫生的解决方案，同时通过学术出版物、课程整合、行业会议和媒体文章广泛传播。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

ReScan: A Middleware Framework for Realistic and Robust Black-box Web Application Scanning

• DOI: 10.14722/ndss.2023.24169
• 发表时间: 2023
• 期刊: Proceedings 2023 Network and Distributed System Security Symposium
• 作者: Kostas Drakonakis;S. Ioannidis;Jason Polakis

Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors

航行浑水：用于发现跟踪向量的自动浏览器功能测试

• DOI: 10.14722/ndss.2023.24072
• 发表时间: 2023
• 期刊: Network and Distributed System Security (NDSS
• 作者: Ali, Mir Masood;Chitale, Binoy;Ghasemisharif, Mohammad;Kanich, Chris;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications

逃离时间的限制：通过短暂修改进行连续浏览器扩展指纹识别

• DOI: 10.1145/3548606.3560576
• 发表时间: 2022
• 期刊: ACM SIGSAC Conference on Computer and Communications Security (CCS
• 作者: Solomos, Konstantinos;Ilia, Panagiotis;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

Exploring the security and privacy risks of chatbots in messaging services

探索消息服务中聊天机器人的安全和隐私风险

• DOI: 10.1145/3517745.3561433
• 发表时间: 2022
• 期刊: ACM Internet Measurement Conference (IMC
• 作者: Edu, Jide;Mulligan, Cliona;Pierazzi, Fabio;Polakis, Jason;Suarez-Tangil, Guillermo;Such, Jose
• 通讯作者: Such, Jose

When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the Wild

• DOI: 10.1145/3627106.3627186
• 发表时间: 2023-12
• 期刊: Proceedings of the 39th Annual Computer Security Applications Conference
• 作者: Alberto Carboneri;Mohammad Ghasemisharif;Soroush Karami;Jason Polakis