Language-Based Security and Privacy in Web-driven Systems
Uloženo v:
| Název: | Language-Based Security and Privacy in Web-driven Systems |
|---|---|
| Autoři: | Ahmadpanah, Seyed Mohammad Mehdi, 1996 |
| Zdroj: | WebSec: Säkerhet i webb-drivna system. |
| Témata: | Sandboxing, Information-flow control, Modular programming, Browser extensions, Trigger-action platforms, Data minimization, Language-based security and privacy |
| Popis: | Modular programming is a core principle in software development, which demands reducing design complexity through independent code modules. A prime example of modular programming is systems offering various services and applications accessible through the web. Their complex nature, heavy dependence on third-party modules, and large user base call for principled approaches to user security and privacy. This thesis focuses on securing web-driven systems, practically targeting Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish applications that enhance digital lives through smart automation and personalized web browsing, respectively. Our approach to software security and privacy is through the lens of programming-language techniques. We identify vulnerabilities in popular TAP applications and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured applications, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation. Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We identify privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We develop a static analysis framework to track flows from user-sensitive data to network requests in browser extensions. Moreover, we revisit information-flow policies that are not necessarily transitive, supporting coarse-grained policies where security labels are specified at the level of modules. We leverage flow-sensitive type systems to enforce granular security in module-based systems. |
| Popis souboru: | electronic |
| Přístupová URL adresa: | https://research.chalmers.se/publication/542268 https://research.chalmers.se/publication/542268/file/542268_Fulltext.pdf |
| Databáze: | SwePub |
Nájsť tento článok vo Web of Science | FullText | Text: Availability: 0 CustomLinks: – Url: https://research.chalmers.se/publication/542268# Name: EDS - SwePub (s4221598) Category: fullText Text: View record in SwePub – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Ahmadpanah%20SMM Name: ISI Category: fullText Text: Nájsť tento článok vo Web of Science Icon: https://imagesrvr.epnet.com/ls/20docs.gif MouseOverText: Nájsť tento článok vo Web of Science |
|---|---|
| Header | DbId: edsswe DbLabel: SwePub An: edsswe.oai.research.chalmers.se.bd0ad783.eac9.4485.8ceb.3a3e3fbd5743 RelevancyScore: 936 AccessLevel: 6 PubType: PubTypeId: unknown PreciseRelevancyScore: 936.415405273438 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Language-Based Security and Privacy in Web-driven Systems – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Ahmadpanah%2C+Seyed+Mohammad+Mehdi%22">Ahmadpanah, Seyed Mohammad Mehdi</searchLink>, 1996 – Name: TitleSource Label: Source Group: Src Data: <i>WebSec: Säkerhet i webb-drivna system</i>. – Name: Subject Label: Subject Terms Group: Su Data: <searchLink fieldCode="DE" term="%22Sandboxing%22">Sandboxing</searchLink><br /><searchLink fieldCode="DE" term="%22Information-flow+control%22">Information-flow control</searchLink><br /><searchLink fieldCode="DE" term="%22Modular+programming%22">Modular programming</searchLink><br /><searchLink fieldCode="DE" term="%22Browser+extensions%22">Browser extensions</searchLink><br /><searchLink fieldCode="DE" term="%22Trigger-action+platforms%22">Trigger-action platforms</searchLink><br /><searchLink fieldCode="DE" term="%22Data+minimization%22">Data minimization</searchLink><br /><searchLink fieldCode="DE" term="%22Language-based+security+and+privacy%22">Language-based security and privacy</searchLink> – Name: Abstract Label: Description Group: Ab Data: Modular programming is a core principle in software development, which demands reducing design complexity through independent code modules. A prime example of modular programming is systems offering various services and applications accessible through the web. Their complex nature, heavy dependence on third-party modules, and large user base call for principled approaches to user security and privacy. This thesis focuses on securing web-driven systems, practically targeting Trigger-Action Platforms (TAPs) and browser extensions. Both increasingly popular systems empower users to develop and publish applications that enhance digital lives through smart automation and personalized web browsing, respectively. Our approach to software security and privacy is through the lens of programming-language techniques. We identify vulnerabilities in popular TAP applications and prevent malicious behavior by sandboxing and fine-grained access control. To minimize data access for TAPs with user-configured applications, we also present a construction-by-design paradigm for on-demand data minimization using lazy computation. Besides access control and minimization, we study how sensitive information is processed once access is granted, using information-flow analysis. We identify privacy risks in browser extensions, such as exfiltration of cookies and browsing history over the network. We develop a static analysis framework to track flows from user-sensitive data to network requests in browser extensions. Moreover, we revisit information-flow policies that are not necessarily transitive, supporting coarse-grained policies where security labels are specified at the level of modules. We leverage flow-sensitive type systems to enforce granular security in module-based systems. – Name: Format Label: File Description Group: SrcInfo Data: electronic – Name: URL Label: Access URL Group: URL Data: <link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/542268" linkWindow="_blank">https://research.chalmers.se/publication/542268</link><br /><link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/542268/file/542268_Fulltext.pdf" linkWindow="_blank">https://research.chalmers.se/publication/542268/file/542268_Fulltext.pdf</link> |
| PLink | https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsswe&AN=edsswe.oai.research.chalmers.se.bd0ad783.eac9.4485.8ceb.3a3e3fbd5743 |
| RecordInfo | BibRecord: BibEntity: Languages: – Text: English Subjects: – SubjectFull: Sandboxing Type: general – SubjectFull: Information-flow control Type: general – SubjectFull: Modular programming Type: general – SubjectFull: Browser extensions Type: general – SubjectFull: Trigger-action platforms Type: general – SubjectFull: Data minimization Type: general – SubjectFull: Language-based security and privacy Type: general Titles: – TitleFull: Language-Based Security and Privacy in Web-driven Systems Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Ahmadpanah, Seyed Mohammad Mehdi IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 01 Type: published Y: 2024 Identifiers: – Type: issn-locals Value: SWEPUB_FREE – Type: issn-locals Value: CTH_SWEPUB Titles: – TitleFull: WebSec: Säkerhet i webb-drivna system Type: main |
| ResultId | 1 |