JShelter: Give Me My Browser Back

The Web is used daily by billions. Even so, users are not protected from many threats by default. This position paper builds on previous web privacy and security research and introduces JShelter, a webextension that fights to return the browser to users. Moreover, we introduce a library helping with common webextension development tasks and fixing loopholes misused by previous research. JShelter focuses on fingerprinting prevention, limitations of rich web APIs, prevention of attacks connected to timing, and learning information about the computer, the browser, the user, and surrounding physical environment and location. We discovered a loophole in the sensor timestamps that lets any page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. JShelter provides a fingerprinting report and other feedback that can be used by future security research and data protection authorities. Thousands of users around the world use the webextension every day

Breaking boundaries: analysis of the interfaces between applications, systems and enclaves

Application interfaces allow apps to communicate with each other or use resources. Several platforms, namely: browser, mobile and computer, offer various instances of these interfaces at different architecture levels. The interfaces range from simply sending and receiving data to accessing hardware resources. Due to the increase in introducing services across several platforms, there has been limited research on the impact of interference between services and interfaces. Additionally, platforms provide permissions and policies that serve as an authorisation layer to counter the rising security issues of these interfaces. In this thesis, we aim to tackle this issue and contribute to this research area by analysing a subset of these interfaces, addressing their common weaknesses in their respective platform, and assessing their attack surface. In the first part of the thesis, we study and evaluate interfaces for the browser platform: local schemes in mobile browsers and hardware application programming interfaces (APIs) in desktop browsers. Our study demonstrates several security issues within these interfaces, ranging from spoofing to privilege escalation. As a result, introducing components like new input methods, output methods, internal processes, and different contexts is crucial in affecting interface security. In the second part, we move to the mobile platform. We analyse the security of the mobile app interfaces. We consider new services like background restriction policy and multi-user profile features that interfere with mobile interfaces. Our study demonstrates threats that bypass the proposed security models of these services. We find that evaluating new services and understanding their correlation with existing interfaces is essential to introduce them to a platform. Finally, in the third part of the thesis, we focus on analysing the trusted execution environment (TEE) platform. Previous studies show substantial efforts to ensure secure, trusted shielding runtime. However, its attack surface is not generally understood. Therefore, we evaluate the security of enclave interfaces and their TEE applications, namely remote attestation. We present a side-channel attack in the intel SGX enclave that leaks confidential data and demonstrate weaknesses in the design of hardware-based remote attestation protocols: Samsung Knox V2 and Key attestation. We conclude that the area of interface security is vast. Platforms regularly introduce components like input methods, output methods, internal services and different contexts. Introducing these components to the platforms increases its attack surface. Furthermore, these components shape a complex factor in evaluating these interfaces. Platform developers should be aware of such an issue, and new methods need to be proposed to assess the attack surfaces of these interfaces

Web observations: analysing Web data through automated data extraction

In this thesis, a generic architecture for Web observations is introduced. Beginning with fundamental data aspects and technologies for building Web observations, requirements and architectural designs are outlined. Because Web observations are basic tools to collect information from any Web resource, legal perspectives are discussed in order to give an understanding of recent regulations, e.g. General Data Protection Regulation (GDPR). The general idea of Web observatories, its concepts, and experiments are presented to identify the best solution for Web data collections and based thereon, visualisation from any kind of Web resource. With the help of several Web observation scenarios, data sets were collected, analysed and eventually published in a machine-readable or visual form for users to be interpreted. The main research goal was to create a Web observation based on an architecture that is able to collect information from any given Web resource to make sense of a broad amount of yet untapped information sources. To find this generally applicable architectural structure, several research projects with different designs have been conducted. Eventually, the container based building block architecture emerged from these initial designs as the most flexible architectural structure. Thanks to these considerations and architectural designs, a flexible and easily adaptable architecture was created that is able to collect data from all kinds of Web resources. Thanks to such broad Web data collections, users can get a more comprehensible understanding and insight of real-life problems, the efficiency and profitability of services as well as gaining valuable information on the changes of a Web resource

The seven deadly sins of the HTML5 WebAPI: a large-scale study on the risks of mobile sensor-based attacks

Summarization: Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI. In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.Presented on: ACM Transactions on Privacy and Securit