Improving Security and Privacy of Integrated Web Applications
Zhou, Yuchen, Computer Engineering - School of Engineering and Applied Science, University of Virginia
Evans, David, Department of Computer Science, University of Virginia
Modern applications integrate third-party services for easier development, additional functionality (e.g., connecting with social network identities), and extra revenue (e.g., advertising networks). This integration, however, presents risks to application integrity and user privacy. This research addresses integrated applications that incorporate two types of third-party services: (1) services from trusted providers that provide security-critical functionalities to an application such as Single Sign-On (SSO), and (2) services from untrusted providers that incorporate other services such as analytics and advertisements. Unlike traditional library inclusions, integrated applications present new challenges due to the opaqueness of third-party back end services and platform runtimes.
For the first type of integration, we assume a benign service provider and our goal is to eliminate misunderstandings between the service provider and the application developer that may lead to security vulnerabilities in the implementation. We advocate for a systematic approach to discover implicit assumptions that uses an iterative process to refine system models and uncover needed assumptions. To better understand the prevalence of discovered vulnerabilities at large scale, we developed an automated vulnerability scanner, SSOScan, that can be deployed in an application marketplace or as a stand-alone service. This testing framework can drive the application automatically and check if a given application is vulnerable by carrying out simulated attacks and monitoring application traffic and behavior, and we have used it to automatically find serious vulnerabilities in hundreds of websites.
The nature of modern web application development presents major challenges for security. Although developers are prone to make mistakes when integrating third-party components, the systematic analysis approach, automatic scanners, and developer tools we present can significantly increase a developer's confidence in the security and privacy of integrated applications.
PHD (Doctor of Philosophy)
Web Application Security, Third-party Service Security
All rights reserved (no additional license for public reuse)