Modern browsers and smartphone operating systems treat applications as mutually untrusting, potentially malicious principals. Applications are (1) isolated except for explicit IPC or inter-application communication channels and (2) unprivileged by default, requiring user permission for additional privileges. Although inter-application communication supports useful collaboration, it also introduces the risk of permission redelegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application’s access to privileged devices and data. We discuss permission re-delegation and demonstrate its risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been confirmed as bugs. We discuss possible ways to address permission redelegation and present IPC Inspection, a new OS mechanism for defending against permission re-delegation. IPC Inspection prevents opportunities for permission redelegation by reducing an application’s permissions after it receives communication from a less privileged application. We have implemented IPC Inspection for a browser and Android, and we show that it prevents the attacks we found in the Android system applications. 1

Abstract A common client-side countermeasure against Cross Site Request Forgery (CSRF) is to strip session and authentication information from malicious requests. The difficulty however is in determining when a request is malicious. Existing client-side countermeasures are typically too strict, thus breaking many existing websites that rely on authenticated cross-origin requests, such as sites that use third-party payment or single sign-on solutions. The contribution of this paper is the design, implementation and evaluation of a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites. We formally show through bounded-scope model checking that our algorithm protects against CSRF attacks under one specific assumption about the way in which good sites collaborate cross-origin. We provide experimental evidence that this assumption is realistic: in a data set of 4.7 million HTTP requests involving over 20.000 origins, we only found 10 origins that violate the assumption. Hence, the remaining attack surface for CSRF attacks is very small. In addition, we show that our filtering does not break typical non-malicious cross-origin collaboration scenarios such as payment and single sign-on.

As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web applications that gained a lot of attention lately. It allows an attacker to perform malicious authorized actions originating in the end-users browser, without his knowledge. This paper presents a client-side policy enforcement framework to transparently protect the end-user against CSRF. To do so, the framework monitors all outgoing web requests within the browser and enforces a configurable cross-domain policy. The default policy is carefully selected to transparently operate in a web 2.0 context. In addition, the paper also proposes an optional server-side policy to improve the accuracy of the client-side policy enforcement. A prototype is implemented as a Firefox extension, and is thoroughly evaluated in a web 2.0 context.

Abstract Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic. 1

National Science Foundation While there is no guarantee of HTTP page integrity, this issue is left unaddressed in discussions of web security. Though HTTPS can be used to solve the HTTP page integrity problem, HTTPS is shunned by web communities due to the performance overheads caused by TLS. Worse yet, HTTPS inherently breaks the distributed nature of the web by disallowing caching. The end-toend security guarantee of HTTPS only allows web contents served by origin web servers, not caching proxies or Content Delivery Networks (CDN). Unsurprisingly, HTTPS is overkill for many applications and is avoided by many websites. Thus, webpages are completely open to attacks against HTTP page integrity. Based on these observations, we have designed a lite protocol for secure web, HTTP Integrity (HTTPI). HTTPI relies on HTTPS to share session keys and use them for keyedhashing HTTP pages. We show that HTTPI can be reliably used for many applications, since many web attacks target integrity rather than confidentiality. In order to avoid breaking the caching mechanism of the web, we decouple HTTP headers and contents for keyed-hashing. Web servers can cache or precompute contents hashing for static contents and many studies show that dynamic contents can be cached as well. Therefore, the performance degradation caused by HTTPI can go unnoticed by users. 1

Masterproef aangeboden tot het behalen van de graad van Master in de ingenieurswetenschappen: computerwetenschappen 2008–2009 Promotor: Prof. Dr. ir. W. JOOSENc ○ Copyright by K.U.Leuven Zonder voorafgaande schriftelijke toestemming van zowel de promotor(en) als de auteur(s) is overnemen, kopiëren, gebruiken of realiseren van deze uitgave of gedeelten ervan verboden. Voor aanvragen tot of informatie i.v.m. het overnemen en/of gebruik en/of realisatie van gedeelten uit deze publicatie, wendt u tot het Departement Computerwetenschappen, Celestijnenlaan 200A, 3001 Leuven, (016) 32 77 00 of via

Applications written with Web technologies are a growing trend. Web technologies include the JavaScript programming language which has become popular due to its support in modern Web browsers. Today JavaScript is also used to implement installable stand-alone applications in addition to Ajax-style programming. An example of such stand-alone applications are widgets that conform to the W3C Widgets 1.0 specification. Security is a key concern with these kind of applications because they often have an access to sensitive and valuable information through Web or platform interfaces. One of the main challenges is to determine how to establish trust towards an application. Applications can be benevolent or malicious, but the difference is hard to tell by an end-user. Digital signatures and certificates have been used to help end-users in making a trust decision and to delegate trustworthiness evaluation to trusted parties. These mechanisms have drawbacks that make application development, distribution and adoption more difficult. In this thesis a new trust establishment mechanism is proposed that helps to deal with the drawbacks. It is based on the Domain Name System and utilizes the originating domain of applications. An implementation of the proposed mechanism is provided on top of the W3C Widgets 1.0 specification and the implementation is evaluated against design requirements. The new mechanism is recognized to bring many benefits to the different parties of the widget ecosystem. Keywords: Language:

1 Application of Machine Learning and Crowdsourcing to Detection of Cybersecurity Threats We are applying machine learning and crowdsourcing to cybersecurity, with the purpose to develop a toolkit for detection of complex cyber threats, which are often undetectable by traditional tools. It will serve as an “extra layer of armor ” that supplements the standard defenses. The initial results include (1) an architecture for sharing security warnings among users and (2) machine learning techniques for identifying malicious websites. The public release of the