Protecting Incorrectly Implemented Web Applications From Online Adversaries

2018-11-14T18:57:15Z (GMT) by Eric Y. Chen
Implementation errors are commonly found in modern web applications. They can be caused by a multitude of factors, including weaknesses in browsers' security policies and<br>developers' misinterpretations of web protocols (e.g., OAuth and OpenId). In this thesis, we show that even under the assumption that web applications are implemented incorrectly, their security can be improved through two fronts: 1) Enhancing the application isolation mechanism of web browsers, and 2) securing inter-application<br>communication protocols via program verifi cation. For 1), we created a mechanism called pp Isolation to enhance isolation boundaries of web applications running inside a browser. For 2), we created a formal verification framework called Certi cation of Symbolic Transaction (CST) that verifi es the security properties of every web transaction on-the-<br>y by<br>invoking static veri cation at runtime. The threat model we consider in this thesis is the<br>standard web attacker with additional capabilities of a malicious user.<br>The two defenses proposed in this thesis are lightweight and backward compatible.<br>App Isolation can be deployed as an opt-in feature for websites; and we have applied CST<br>to ve commercially deployed applications to secure APIs from well-known companies<br>including Facebook, Amazon, PayPal, and Microsoft.<br>i