Loading Events

« All Events

  • This event has passed.

January 14 3:00 pm - 5:00 pm EST

Speaker

Sajjad Arshad, PhD student

Location

ISEC 632

Abstract

Thanks to the wide range of features offered by web browsers, modern websites include various types of content such as JavaScript and Cascading Style Sheets (CSS) in order to create interactive user interfaces. Browser vendors also provided extensions to enhance web browsers with additional useful capabilities that are not necessarily maintained or supported by default.

However, included content can introduce security risks to users of these websites, unbeknownst to both website operators and users. In addition, the browser’s interpretation of the resource URLs may be very different from how the web server resolves the URL to determine which resource should be returned to the browser. The URL may not correspond to an actual server-side file system structure at all, or the web server may internally rewrite parts of the URL. This semantic disconnect between web browsers and web servers in interpreting relative paths (path confusion) could be exploited by Relative Path Overwrite (RPO). On the other hand, even tough extensions provide useful additional functionality for web browsers, they are also an increasingly popular vector for attacks. Due to the high degree of privilege extensions can hold, extensions have been abused to inject advertisements into web pages that divert revenue from content publishers and potentially expose users to malware.

In this thesis, I propose novel research into understanding and mitigating the security risks of content inclusion in web browsers to protect website publishers as well as their users. First, I introduce an in-browser approach called Excision to automatically detect and block malicious third-party content inclusions as web pages are loaded into the user’s browser or during the execution of browser extensions. Then, I propose OriginTracer, an in-browser approach to highlight extension-based content modification of web pages. Finally, I present the first in-depth study of style injection vulnerability using RPO and discuss potential countermeasures.

About the Speaker

Sajjad Arshad is a PhD student in Systems Security Lab (NEU SecLab). His research is concerned with improving the security of computer systems through application of secure design principles and integration of defensive techniques such as attack detection, prevention, and recovery. Some domains he is active in are conducting web security & privacy measurements, developing static & dynamic analysis techniques for detection of algorithmic complexity vulnerabilities in Java programs, systems security (e.g, CFI, binary exploitation, pwning, reverse engineering), and malware analysis (e.g., Botnet, Ransomware). Specifically, his research focuses on large-scale web security measurement, primarily using browser instrumentation and distributed crawling.

Committee

  • William Robertson, Northeastern University (advisor)
  • Engin Kirda, Northeastern University (co-advisor)
  • Guevara Noubir, Northeastern University (internal)
  • Gianluca Stringhini, Boston University (external)

Details

Date:
January 14
Time:
3:00 pm - 5:00 pm
Event Categories:
, , , ,

Venue

Interdisciplinary Science and Engineering Complex (ISEC)
805 Columbus Avenue
Boston, MA 02120 United States
+ Google Map
Phone:
(617) 373-8380

Location

Campus
Boston