Collaborative Research: SaTC: CORE: Medium: App-driven Web Browsing: Novel Risks, Vulnerabilities, and Defenses

协作研究：SaTC：核心：中：应用程序驱动的网络浏览：新的风险、漏洞和防御

• 批准号: 2211575
• 负责人: Nick Nikiforakis
• 金额: $ 34.91万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2026-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2211575&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

The modern web ecosystem is comprised of a multitude of non-browser applications that, while having the same ability to process and render web content, are developed with different technologies and exhibit different capabilities. In this new browsing paradigm, app developers are responsible for configuring and implementing security features that are already standardized in traditional browsers. The option to deviate from well-known defaults has the potential of opening their software to misconfigurations and ultimately exposing users to significant security risks. This project focuses on providing a holistic and in-depth analysis of the features, functionality, and capabilities of modern non-browser apps that allow web browsing. The project’s novel contributions include the design and development of diverse techniques and systems for uncovering the inherent security flaws in the different technologies that power these apps. The project's broader significance and importance lie in the critical positioning of these web and mobile apps within the greater web ecosystem, and the necessity of more robust flaw detection and prevention capabilities. This project explores, measures, and addresses the security flaws that are inherent to the technologies used for developing apps that enable web browsing. This requires implementing novel static and dynamic code and app analysis techniques for detecting security issues that enable a wide range of attacks, from incorrect origin-isolation enforcement to remote code injection and execution. Moreover, the project includes the development of observatories to understand whether these browsing apps are becoming more secure over time and identify new vulnerabilities, in a data-driven fashion. The outcomes of this research strengthen the research community's understanding of the risks of app-driven browsing and provide solutions that improve the security hygiene of the app ecosystem, while being widely disseminated through academic publications, curriculum integration, industry conferences, and media articles.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代Web生态系统由大量非浏览器应用程序组成，这些应用程序虽然具有相同的处理和呈现Web内容的能力，但使用不同的技术开发并展示不同的功能。在这种新的浏览模式中，应用程序开发人员负责配置和实现传统浏览器中已经标准化的安全功能。偏离众所周知的默认值的选项有可能使其软件出现错误配置，并最终使用户面临重大的安全风险。这个项目的重点是提供一个全面和深入的分析功能，功能和现代非浏览器应用程序，允许Web浏览的能力。该项目的新贡献包括设计和开发各种技术和系统，以发现这些应用程序所使用的不同技术中的固有安全缺陷。该项目更广泛的意义和重要性在于这些Web和移动的应用程序在更大的Web生态系统中的关键定位，以及更强大的缺陷检测和预防功能的必要性。 该项目探索，测量和解决用于开发支持Web浏览的应用程序的技术所固有的安全缺陷。这需要实施新颖的静态和动态代码和应用程序分析技术，以检测导致各种攻击的安全问题，从不正确的源隔离实施到远程代码注入和执行。此外，该项目还包括开发观察站，以了解这些浏览应用程序是否随着时间的推移变得更加安全，并以数据驱动的方式识别新的漏洞。这项研究的成果加强了研究界对应用驱动浏览风险的理解，并提供了改善应用生态系统安全卫生的解决方案，同时通过学术出版物，课程整合，行业会议，该奖项反映了NSF的法定使命，并通过使用基金会的智力价值进行评估，更广泛的影响审查标准。

项目成果

Double and Nothing: Understanding and Detecting Cryptocurrency Giveaway Scams

Double and Nothing：了解和检测加密货币赠品诈骗

• DOI: 10.14722/ndss.2023.24584
• 发表时间: 2023
• 期刊: Proceedings of the Network and Distributed System Security Symposium (NDSS
• 作者: Li, Xigao;Yepuri, Anurag;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

AnimateDead: Debloating Web Applications Using Concolic Execution

AnimateDead：使用 Concolic 执行消除 Web 应用程序的膨胀

• 发表时间: 2023
• 期刊: Proceedings of the USENIX Security Symposium
• 作者: Amin Azad, Babak;Jahanshahi, Rasoul;Tsoukaladelis, Chris;Egele, Manuel;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick

Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors

航行浑水：用于发现跟踪向量的自动浏览器功能测试

• DOI: 10.14722/ndss.2023.24072
• 发表时间: 2023
• 期刊: Network and Distributed System Security (NDSS
• 作者: Ali, Mir Masood;Chitale, Binoy;Ghasemisharif, Mohammad;Kanich, Chris;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications

逃离时间的限制：通过短暂修改进行连续浏览器扩展指纹识别

• DOI: 10.1145/3548606.3560576
• 发表时间: 2022
• 期刊: ACM SIGSAC Conference on Computer and Communications Security (CCS
• 作者: Solomos, Konstantinos;Ilia, Panagiotis;Nikiforakis, Nick;Polakis, Jason
• 通讯作者: Polakis, Jason

The More Things Change, the More They Stay the Same: Integrity of Modern JavaScript

事物变化越多，它们就越保持不变：现代 JavaScript 的完整性

• DOI: 10.1145/3543507.3583395
• 发表时间: 2023
• 期刊: Proceedings of the ACM Web Conference (WWW
• 作者: So, Johnny;Ferdman, Michael;Nikiforakis, Nick
• 通讯作者: Nikiforakis, Nick