14828 Browser Security

Schedule & Readings

You are usually only required to read one paper for each class. Any additional papers listed are optional.

Check back regularly for updates to the schedule.

unit	date	topic	instr.	reading	notes
Unit 1: Introduction
	1/16/17	Introduction I
	1/18/17	Introduction II
Unit 2: Browser Components
	1/23/17	Policies		[1] [2] [3]
	1/25/17	Frames		[4] [5] [6]
	1/30/17	Cookies		[7]
Unit 3: Better browser architecture
	2/1/17	Browser vulnerability mitigation I		[8] [9]	HW1 out
	2/6/17	Browser vulnerability mitigation II		[10] [11]
	2/8/17	Isolation and sandboxing		[12] [13]	Spectre and Meltdown
Unit 4: Project
	2/13/17	Project proposal
	2/15/17	Project proposal			HW1 due
Unit 5: Extensions
	2/20/17	Browser extension architecture		[14] [15]	Security indicators in browsers (teach in SV)
	2/22/17	Test 1			HW2 out
	2/27/17	Extension Vulnerabilities		[16] [17] [18]	Security issues of HTML5 local storage
Unit 6: Privacy
	3/1/17	Tracking		[19] [20] [21]	Private browsing mode (SV)
	3/6/17	Browser fingerprinting		[22] [23]	Do Not Track (SV)
Unit 7: Other vulnerabilities
	3/8/17	Heap spray attacks		[24] [25]	HW2 due , HW3 out
	3/13/17	No class, spring break
	3/15/17	No class, spring break
	3/20/17	Midterm project presentation
	3/22/17	Midterm project presentation
	3/27/17	Protocol attack 1		[26] [27]	Attacks through Scalable Vector Graphics (SVG) and Explaining DNS rebinding attacks (SV)
	3/29/17	Protocol attack 2		[28]	HTTPS traffic interception (SV)
Unit 8: Information flow browsers
	4/3/17	Flowfox		[29]	Malvertising
	4/5/17	Taint tracking		[30] [31]	Address bar spoofing on mobile browsers on Android
	4/10/17	Information flow browsers		[32] [33]	BeEF the Browser Exploitation Framework
Unit 9: Advanced topics
	4/12/17	Formal models and verification		[34]	Angler exploit kit
	4/17/17	Test 2
	4/19/17	no class, carnival
	4/24/17	Presentations			Web cloaking, High-profile spear-phishing attacks,NSAs FOXACID project,Browser Wars,Domain Fronting
	4/26/17	Leveraging Browser Infrastructure to Improve Security		[35] [36]	Guest Lecture
Unit 10: Wrapping up
	5/1/17	Project presentation
	5/3/17	Project presentation

[1]	Reining in the web with content security policy. Stamm Sid, Sterne Brandon and Markham Gervase. In Proceedings of the 19th International Conference on World Wide Web, 2010.
[2]	On the incoherencies in web browser access control policies. Singh Kapil, Moshchuk Alexander, Wang Helen J., and Lee Wenke. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.
[3]	Same-origin policy: evaluation in modern browsers. Jorg Schwenk, Marcus Niemietz and Christian Mainka. In 26th USENIX Security Symposium (USENIX Security 17), 2017.
[4]	Busting frame busting: a study of clickjacking vulnerabilities at popular sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. In IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.
[5]	Securing frame communication in browsers. Barth Adam, Jackson Collin and Mitchell John C.. In Proceedings of the 17th Conference on Security Symposium, 2008.
[6]	The postman always rings twice: attacking and defending postmessage. Sooel Son and Vitaly Shmatikov. In 20th Annual Network and Distributed System Security Symposium, NDSS, 2013.
[7]	Cookies lack integrity: real-world implications. Zheng Xiaofeng, Jiang Jian, Liang Jinjin, Duan Haixin, Chen Shuo, Wan Tao, and Weaver Nicholas. In Proceedings of the 24th USENIX Conference on Security Symposium, 2015.
[8]	Secure web browsing with the op web browser. Grier Chris, Tang Shuo and King Samuel T.. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
[9]	A safety-oriented platform for web applications. Cox Richard S., Gribble Steven D., Levy Henry M., and Hansen Jacob Gorm. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006.
[10]	The multi-principal os construction of the gazelle web browser. Wang Helen J., Grier Chris, Moshchuk Alexander, King Samuel T., Choudhury Piali, and Venter Herman. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009.
[11]	The security architecture of the chromium browser. Adam Barth, Charles Reis, Collin Jackson, and Google Chrome Team Google Inc.. 2008.
[12]	Automated analysis of security-critical javascript apis. Taly Ankur, Erlingsson \'Ulfar, Mitchell John C., Miller Mark S., and Nagra Jasvir. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.
[13]	Native client: a sandbox for portable, untrusted x86 native code. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Orm, Shiki Okasaka, Neha Narula, Nicholas Fullagar, and Google Inc. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, 2009.
[14]	An evaluation of the google chrome extension security architecture. Carlini Nicholas, Felt Adrienne Porter and Wagner David. In Proceedings of the 21st USENIX Conference on Security Symposium, 2012. USENIX Association.
[15]	Protecting browsers from extension vulnerabilities. Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman. In Proceedings of the Network and Distributed System Security Symposium, 2010.
[16]	Analyzing the dangers posed by Chrome extensions. Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian. In Proceedings of the IEEE Conference on Communications and Network Security, 2014.
[17]	Hulk: eliciting malicious behavior in browser extensions. Kapravelos Alexandros, Grier Chris, Chachra Neha, Kruegel Christopher, Vigna Giovanni, and Paxson Vern. In Proceedings of the 23rd USENIX Conference on Security Symposium, 2014.
[18]	Crossfire: an analysis of firefox extension-reuse vulnerabilities. Ahmet Buyukkayhan, Kaan Onarlioglu, William Robertson, and Engin Kirda. In Proceedings of the Network and Distributed System Security Symposium, 2016.
[19]	Detecting and defending against third-party tracking on the web. Roesner Franziska, Kohno Tadayoshi and Wetherall David. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, 2012.
[20]	Online tracking: a 1-million-site measurement and analysis. Englehardt Steven and Narayanan Arvind. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016.
[21]	Cookies that give you away: the surveillance implications of web tracking. Englehardt Steven, Reisman Dillon, Eubank Christian, Zimmerman Peter, Mayer Jonathan, Narayanan Arvind, and Felten Edward W.. In Proceedings of the 24th International Conference on World Wide Web, 2015.
[22]	How unique is your web browser? Eckersley Peter. In Proceedings of the 10th International Conference on Privacy Enhancing Technologies, pages 1–18, 2010.
[23]	Cookieless monster: exploring the ecosystem of web-based device fingerprinting. Nikiforakis Nick, Kapravelos Alexandros, Joosen Wouter, Kruegel Christopher, Piessens Frank, and Vigna Giovanni. In Proceedings of the 2013 IEEE Symposium on Security and Privacy,
[24]	Zozzle: fast and precise in-browser javascript malware detection. Curtsinger Charlie, Livshits Benjamin, Zorn Benjamin, and Seifert Christian. In Proceedings of the 20th USENIX Conference on Security, 2011.
[25]	The devil is in the constants: bypassing defenses in browser JIT engines. Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis. In Proceedings of the Network and Distributed System Security Symposium, 2015.
[26]	Dynamic pharming attacks and locked same-origin policies for web browsers. Karlof Chris, Shankar Umesh, Tygar J. D., and Wagner David. In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.
[27]	Pretty-bad-proxy: an overlooked adversary in browsers' https deployments. Chen Shuo, Mao Ziqing, Wang Yi-Min, and Zhang Ming. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, 2009.
[28]	A messy state of the union: taming the composite state machines of tls. Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, 2015.
[29]	Flowfox: a web browser with flexible and precise information flow control. De Groef Willem, Devriese Dominique, Nikiforakis Nick, and Piessens Frank. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012.
[30]	Information flow control for event handling and the dom in web browsers. Rajani Vineet, Bichhawat Abhishek, Garg Deepak, and Hammer Christian. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium, 2015.
[31]	Information flow control in webkit’s javascript bytecode. Rajani Vineet, Bichhawat Abhishek, Garg Deepak, and Hammer Christian. In Proceedings of International Conference on Principles of Security and Trust, 2014.
[32]	Run-time monitoring and formal analysis of information flows in chromium. Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. In Proceedings of the Network and Distributed System Security Symposium, 2015.
[33]	Protecting users by confining javascript with cowl. Stefan Deian, Yang Edward Z., Marchenko Petr, Russo Alejandro, Herman Dave, Karp Brad, and Mazi\'eres David. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, 2014.
[34]	Establishing browser security guarantees through formal shim verification. Jang Dongseok, Tatlock Zachary and Lerner Sorin. In Proceedings of the 21st USENIX Conference on Security Symposium, 2012.
[35]	Fast, lean, and accurate: Modeling password guessability using neural networks. William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. In Proceedings of the 25th USENIX Security Symposium, 2016.
[36]	Riding out DOMsday: Toward detecting and preventing DOM cross-site scripting. William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. In Proceedings of the 25th Network and Distributed System Security Symposium, 2018.