Topic Descriptions and Seminar Paper Objectives
Topic Title |
Tutor |
Description |
Seminar Paper Objective |
|||
---|---|---|---|---|---|---|
Web Security Scanners | Alex | Web security scanners are core tools in black-box testing. Starting from the seed URL, they iteratively explore the web application and identify the vulnerabilities. However, the increasing complexity of modern web applications creates new challenges for web security scanners, such as client-side navigation, multi-step workflows, and the exponential growth of application states. Recent works have proposed novel solutions to the challenges, aiming to improve the vulnerability detection of web security scanners. | - Describe the typical architecture of black-box web security scanners. - Build a methodology to enumerate the black-box web security scanners presented in scientific literature and execute it. - Identify the main challenges of black-box web security scanning using the collected papers. - For each challenge, analyze and compare the solutions proposed in the previous works based on their strengths and limitations. - Propose a future direction for the black-box web security scanners. |
|||
Type Confusion in Gradually Typed Languages | Dominic | The dynamic nature of modern programming languages such as JavaScript and Python not only offers developers lots of freedom and flexibility, but also gives rise to issues such as type confusion. Type confusion vulnerabilities occur when there is a mismatch between a piece of data’s expected and actual data type at runtime. These vulnerabilities can act as building block for larger attacks, e.g.., enabling attackers to circumvent input validation mechanisms and to hijack the control flow. More recently, gradual typing has emerged as a middleground between the flexibility of dynamic typing and the type safety of static typing. But does gradual typing actually help preventing type confusion in practice? Or could it possibly make it even worse? |
- Introduce and frame the problem: Present technical terms you are going to use in the paper. Show that you understand type confusion and gradual typing. - Type-related issues: Discuss type confusion and how it can be detected by presenting the follow-up paper concisely but in-depth. Collect other kinds of type-related issues from related work and compare them to type confusion in terms of attack vector, threat model, potential consequences. Also discuss how type-related issues, especially type confusion can act as building blocks for larger attacks. - Gradual typing enabling type issues: Discuss the main paper in-depth. Show you understand how gradual typing can affect type safety. Furthermore, assess and discuss proposed countermeasures/improvements to current implementations of gradual typing. Can you think of other solutions? - Critical discussion: 1) Discuss the trade-off between flexibility and security in dynamically/gradually typed languages. Do we need more or less flexibility? 2)Critically assess both the main and follow-up papers and discuss major strengths and weaknesses. 3) Discuss/propose directions for future work on the type safety of gradually typed languages. |
|||
Electron Application Security | Shubham | Browser-based cross-platform applications, in the form of Electron applications, have gained significant traction in recent times. However, these electron applications are also susceptible to most security and privacy vulnerabilities associated with the native Web applications of the past and the present. The relatively complex architecture and the nature of data withheld or accessed by these electron applications on the users' machine, makes them an interesting target for malicious actors on the Web. | Understanding of the electron application architecture and its components. Familiarity with the prior research studies focused on the threat surface of Electron apps. Understanding of the transferability of different vulnerabilities associated with native Web applications to the Electron ecosystem and its implications. A holistic view of the current state (in terms of S&P) of the Electron architecture and (known) ways and strategies towards secure development of such applications. | |||
Implications of Digital Disparities on Web Security and Privacy | Masud | Developers around the world face significant hurdles that impact their ability to build secure, privacy-conscious, and accessible web applications. For example, in economically disadvantaged regions, developers often struggle with limited access to the internet, outdated infrastructure, and a lack of affordable tools and resources, which can hinder their ability to stay up-to-date with emerging technologies and best practices. Prior web security and privacy measurements often limit themselves to globally popular websites (e.g. security header deployment, third-party tracking, privacy policies, etc.) and do not weigh in the geo-difference factor and the influence of the local policies, which may lead to significant deviation from the observed behavior and trends among globally popular websites. This topic aims to explore how socio-economic factors affect web security and privacy. | The main objective of the seminar paper is to investigate regional disparities in web experiences and measurements. First, the paper should perform a thorough investigation and listing of various potential security and privacy related differences among websites in different parts of the world. The paper should carefully study prior work on the effect of geolocation on web security and privacy, including but not limited to work on censorship, content filtering, adoption of security mechanisms, and privacy policies. Second, it should perform a root cause analysis of the influencing factors and the underlying reasons behind these differences, as reported by prior studies in this direction. For example, software engineering practices in developing countries might be influenced by resource limitations, which in turn might affect web accessibility, leading to inequities in how users from different regions experience and interact with online platforms. Finally, discuss the challenges of performing holistic security and privacy measurements that also incorporate local factors and nuances of individual websites. | |||
Detection of Malicious Browser Extensions | Valentino | Browser extensions provide powerful customization but can pose significant security and privacy risks. Detecting malicious extensions is challenging due to diverse abuse patterns and the difficulty of distinguishing malicious from benign behavior. As detection methods improve, malicious actors continue to evolve their techniques. This creates an ongoing challenge to stay ahead of emerging threats while maintaining a balance between security and the legitimate functionality that the extensions provide. We will study two papers where static, dynamic analysis, and user feedback monitoring are used to detect common malicious behaviors while minimizing false positives. | Understand the architecture of browser extensions and reason on a set of possible malicious behaviors. Identify the main features that can be considered in the analysis of extensions. Define the main aspects of static vs dynamic approaches (strengths vs weaknesses). Understand the role of extensions APIs and discuss how analysis for maliciousness could be driven by the higher relevance that these part of the code have. | |||
AI-Based Analysis | Gianluca |
Analyzing web applications is a complex and time-consuming task that requires a high level of human expertise. To address these challenges, the community has explored the adoption of machine learning to automate aspects of web application analysis. In this session, we’ll take a look at two papers that leverage AI-based approaches to detect vulnerabilities in web applications. |
This seminar paper aims to explore the challenges and limitations of traditional security analysis methods and examine how modern AI techniques are being used to overcome them.The paper will outline the shortcomings of conventional approaches, explaining why these issues are difficult or impossible to solve with traditional tools alone and will make a case for why AI-driven solutions offer a promising alternative. The paper will also examine current trends in the field, highlighting how technologies like Machine Learning, Deep Learning, and large language models (LLMs) are being applied to web security analysis and how they’re pushing the field forward. |
|||
The Dangers of Shared State in Extended Reality Environment | Andrea | Extended reality (XR) leverages existing technology and protocols to maintain and transmit real-time updates about players and objects to all participants in a shared virtual environment. The real-time nature of these interactions introduces specific security vulnerabilities, including the potential for message tampering and unauthorized information access. | - Investigation of the current technologies used in virtual platforms to offer this real time communication. - Identify through literature search the problems and attacks related to this collaborative shared state. - Discussion of the implementation challenges and possible defenses towards the attacks happening in platforms and the attacks presented in literature. |
|||
Security of Emerging JavaScript Runtimes | Abdullah | Node.js and other traditional JavaScript runtimes are suffering from various attacks, well documented in the literature. Emerging runtimes like Bun or Deno propose several techniques to mitigate the risks of JavaScript runtimes and their engines, starting from implementing their APIs with memory-safe programming language or building more sophisticated supply chain to avoid certain attacks. Recently, researchers are investigating these emerging runtimes to see to which extend are they safer in comparison to traditional JavaScript ones and what do these emerging runtimes sacrifice to provide higher level of security. This seminar paper should discuss the particularities of emerging JavaScript runtimes and to which degree prior work in the field can be directly applied or extended. | Explain the pros and cons of Deno’s permissions system, e.g., usability vs security. Describe how Deno managed to reduce its attack surface when compared to Node.js and why it might be insufficient against certain known attacks, e.g., regular expression denial of service. Elaborate on why decentralized supply chains would be a better alternative to the traditional supply chain, and what are the possible risks for the JavaScript ecosystem. Finally, understand why Deno failed to fully prevent prototype chain attacks and how does this vulnerability affect other runtimes (see the follow-up paper). Discuss potential ways to harden or improve emerging JavaScript runtimes by relating to prior work on engine fuzzing. | |||
Security and Privacy of Multilingual Web | Cris | While the web was traditionally dominated by English content, in recent years, we have seen a lot of interest in internationalization, with millions of websites delivering content in local languages other than English. This has non-negligible implications for security and privacy practices. For example, passwords or privacy policies of non-English websites are very different than their English counterparts. Input validation or sanitization is also directly impacted by internalization support, and even bugs arise from widespread Unicode adoption. This topic studies the effect of internationalization on security and privacy tools, measurements, and development practices. | The main objective of this seminar paper is to discuss how the shift towards a multilingual web impacts existing security practices, prior empirical measurements, or software engineering processes. The paper should explain how this shift affects prior work on accessibility, web development, privacy analysis/communication, input validation, password policies, crawling, heuristics in program analysis, and penetration testing. For each category, the paper should discuss a couple of academic papers whose results might be impacted by the lack of support for internationalization. Finally, the paper should discuss the challenges of performing multilingual web measurements and ways of improving the support of internationalization in web development. | |||
Offensive and Defensive Security with Service Workers | Dolière | Service workers (SWs) are at the heart of progressive web applications. They facilitate many advanced features such as offline browsing, web push notifications, seamless user experiences, access to a programmable cache, and other advanced client-side storage. Beyond traditional web apps, SWs also power Manifest V3 WebExtensions and edge Cloudflare workers. Most prior work has demonstrated different abuses of service workers’ features. Recently, attempts have been made to leverage service workers to advance web security. | 1. Master the specific capabilities and privileges of service workers 2. Comprehend the different possible abuses of service workers 3. Devise defensive strategies for/based on service workers |
|||
Automatic Exploit Generation | Dominic | Automatic exploit generation is a well-known technique for reducing false alerts of static analyses by producing ready-to-use payloads without human intervention. However, due to the complexities of the JavaScript language, such as the weak type system or the over-reliance on dynamic features, automatic exploit generation saw limited adoption for code written in this language. Recent work proposes leveraging unit tests or the recent advances in fuzzing to successfully synthesize exploits automatically for JavaScript code. | Study the two assigned papers in detail to understand the challenges the JavaScript language poses for automatic exploit generation. Survey the literature for other successful applications of automatic exploit generation beyond JavaScript and discuss how easy it is to adopt each of these techniques to the web/JavaScript. Discuss the remaining open challenges, the relation to automatic testing, and the pros and cons of using machine learning in this context. | |||
Access Control Vulnerabilities in Web Applications | Alex | The rapid growth of modern web applications has created new challenges in ensuring secure access control. As these platforms handle vast amounts of sensitive information, the intricacies of access control policies have become increasingly complex. The potential consequences of broken access control are alarming: access to private data, executing actions on behalf of other users and gaining access to restricted functionality. According to the OWASP Top 10 2021, broken access control is the most common vulnerability, prompting researchers to develop automated tools to detect and prevent such violations. | Using the presented papers as the entry point, comprehensively review the existing research papers to enumerate and summarize the main challenges in the automated detection of broken access control vulnerabilities. Identify and analyze various approaches proposed to address these challenges. The focus will be on highlighting the strengths and weaknesses of each technique, including their potential limitations and areas for further improvement. |