Collaborative Research: SaTC: CORE: Medium: App-driven Web Browsing: Novel Risks, Vulnerabilities, and Defenses

Sponsor: National Science Foundation

Award Number: 2211576

Abstract:

The modern web ecosystem is comprised of a multitude of non-browser applications that, while having the same ability to process and render web content, are developed with different technologies and exhibit different capabilities. In this new browsing paradigm, app developers are responsible for configuring and implementing security features that are already standardized in traditional browsers. The option to deviate from well-known defaults has the potential of opening their software to misconfigurations and ultimately exposing users to significant security risks. This project focuses on providing a holistic and in-depth analysis of the features, functionality, and capabilities of modern non-browser apps that allow web browsing. The project’s novel contributions include the design and development of diverse techniques and systems for uncovering the inherent security flaws in the different technologies that power these apps. The project’s broader significance and importance lie in the critical positioning of these web and mobile apps within the greater web ecosystem, and the necessity of more robust flaw detection and prevention capabilities.

This project explores, measures, and addresses the security flaws that are inherent to the technologies used for developing apps that enable web browsing. This requires implementing novel static and dynamic code and app analysis techniques for detecting security issues that enable a wide range of attacks, from incorrect origin-isolation enforcement to remote code injection and execution. Moreover, the project includes the development of observatories to understand whether these browsing apps are becoming more secure over time and identify new vulnerabilities, in a data-driven fashion. The outcomes of this research strengthen the research community’s understanding of the risks of app-driven browsing and provide solutions that improve the security hygiene of the app ecosystem, while being widely disseminated through academic publications, curriculum integration, industry conferences, and media articles.

This award reflects NSF’s statutory mission and has been deemed worthy of support through evaluation using the Foundation’s intellectual merit and broader impacts review criteria.

For more information, click here.