Topic Descriptions and Seminar Paper Objectives
|
Topic Title |
Tutor |
Description |
Seminar Paper Objective |
|---|---|---|---|
| Security and Privacy Implications of JavaScript Bundling | Cris | JavaScript bundling is a software development practice that involves merging multiple source code files into a single one, to minimize network traffic. This process also applies code transformation techniques like minimization to reduce the size of the code or more aggressive compiler optimizations, e.g., that remove dead code. Since the merged code comes from different origins, JavaScript bundling has multiple negative implications on existing analysis techniques, such as making code attribution or content blocking ineffective. Recent work studies these unwanted effects and proposes improvements to existing program analysis techniques. | Study the process of JavaScript bundling in detail and present the typical structure of a bundle. Summarize prior work on bundling’s correctness and implications. Survey the literature to identify prior web measurement studies whose results might be negatively impacted by not considering bundling. For each work, discuss how easy it is to add support for bundling. |
| Browser Extensions Fingerprinting | Shubham | The prevalence of browser extensions has only grown over recent times in the Web ecosystem given that they provide with varied set of features to their users. They perform security-critical or privacy-sensitive operations on the browser and are often exposed to the user data. Thus, any vulnerabilities with extensions could have serious repercussions for their users. Recently, researchers also discovered many different ways through which extensions could allow tracking websites to uniquely identify users based on the their behavior on the client side. | Understanding of the browser extension architecture. Familiarity with the prior research studies focused on the attacking and defensive aspects of browser extension fingerprinting. Knowledge on the various ways by which extension could be fingerprinted, the efficiency of the vectors and their comparative or contrasting features. Understanding on whether the current extension architecture and various fingerprinting defense techniques could safeguard against such privacy issues on the Web in current situation. |
| Detection of Malicious Web Extensions | Valentino | Browser extensions provide powerful customization but can pose significant security and privacy risks. Detecting malicious extensions is challenging due to diverse abuse patterns and the difficulty of distinguishing malicious from benign behavior. As detection methods improve, malicious actors continue to evolve their techniques. This creates an ongoing challenge to stay ahead of emerging threats while maintaining a balance between security and the legitimate functionality that the extensions provide. We will study two papers where static, dynamic analysis, and user feedback monitoring are used to detect common malicious behaviors while minimizing false positives. | Understand the architecture of web extensions and reason on a set of possible malicious behaviors. Identify the main aspects of static vs dynamic approaches in the analysis of extensions (strengths vs weaknesses). Understand the role of extensions APIs and discuss how analysis for maliciousness could be driven by the higher relevance that these part of the code have. |
| (Geo)Location-based Accessibility Hurdles | Masud | International sanctions have a profound impact on digital access, particularly in countries such as Cuba, Iran, and Russia, where geoblocking practices severely restrict internet connectivity and limit access to online services. These restrictions utilize various mechanisms across the network stack, including DNS failures, IP-based blocking, and deceptive HTTP(S) status codes, which obscure the true reasons for denied access. Such practices hinder users' ability to obtain information, participate in the global economy, and engage with digital services, resulting in a fragmented online experience. Additionally, socioeconomic factors—such as economic stability, government regulations, and technological infrastructure—play a crucial role in shaping these hurdles, leading to significant disparities in digital inclusion between developed and developing regions. This topic aims to explore the difficulties users face from different regions, identify the key factors contributing to these challenges, discuss potential strategies to mitigate these issues, and suggest ways to address them effectively. | Analyze the impact of international sanctions on digital access and examine the effects of geoblocking practices on internet connectivity. Identify different geoblocking mechanisms used at various layers of the network stack, such as DNS failures, deceptive HTTP(S) status codes, and IP-based filtering. Understand how socioeconomic factors, including economic indices, influence web accessibility and digital inclusion. Evaluate the strengths and limitations of current mitigation strategies and explore potential improvements to reduce digital discrimination and enhance equitable access for users in sanctioned regions. |
| Access Control Vulnerabilities in Web Applications | Alex | The rapid growth of modern web applications has created new challenges in ensuring secure access control. As these platforms handle vast amounts of sensitive information, the intricacies of access control policies have become increasingly complex. The potential consequences of broken access control are alarming: access to private data, executing actions on behalf of other users and gaining access to restricted functionality. According to the OWASP Top 10 2021, broken access control is the most common vulnerability, prompting researchers to develop automated tools to detect and prevent such violations. | Using the presented papers as the entry point, comprehensively review the existing research papers to enumerate and summarize the main challenges in the automated detection of broken access control vulnerabilities. Identify and analyze various approaches proposed to address these challenges. The focus will be on highlighting the strengths and weaknesses of each technique, including their potential limitations and areas for further improvement. |
| The LoggedIn Web: A New Security Frontier | Jannis | Most web security research studies the Web in an unauthenticated manner: Fresh, anonymous browser profiles are used to measure security vulnerabilities on websites. However, many attacks have a much higher impact on logged-in users. In addition, everyday surfers are logged in to many websites and create a rich browser profile over time, which is not reflected in a fresh browser profile. More recently, various frameworks for semi-automatic registration and login were developed. These were used to study the security of the login process and compare the security landscape between logged-in users and unauthenticated users. | Survey the literature for research related to the security of logged-in users, the login process itself, and related account functionality such as password resets. Which challenges did works automating account creation and login face and how did they overcome it? Which security issues related to logged-in users and the account system did these works discover? Which aspects of the account system and the security of logged-in users was not yet studied in depth? |
| Type Confusion in Gradually Typed Languages | Dominic | The dynamic nature of modern programming languages such as JavaScript and Python not only offers developers lots of freedom and flexibility, but also gives rise to issues such as type confusion. Type confusion vulnerabilities occur when there is a mismatch between a piece of data’s expected and actual data type at runtime. These vulnerabilities can act as building block for larger attacks, e.g.., enabling attackers to circumvent input validation mechanisms and to hijack the control flow. More recently, gradual typing has emerged as a middleground between the flexibility of dynamic typing and the type safety of static typing. But does gradual typing actually help preventing type confusion in practice? Or could it possibly make it even worse? |
- Introduce and frame the problem: Present technical terms you are going to use in the paper. Show that you understand type confusion and gradual typing. - Type-related issues: Discuss type confusion and how it can be detected by presenting the follow-up paper concisely but in-depth. Collect other kinds of type-related issues from related work and compare them to type confusion in terms of attack vector, threat model, potential consequences. Also discuss how type-related issues, especially type confusion can act as building blocks for larger attacks. - Gradual typing enabling type issues: Discuss the main paper in-depth. Show you understand how gradual typing can affect type safety. Furthermore, assess and discuss proposed countermeasures/improvements to current implementations of gradual typing. Can you think of other solutions? - Critical discussion: 1) Discuss the trade-off between flexibility and security in dynamically/gradually typed languages. Do we need more or less flexibility? 2)Critically assess both the main and follow-up papers and discuss major strengths and weaknesses. 3) Discuss/propose directions for future work on the type safety of gradually typed languages. |
| Automatic Exploit Generation | Dominic | Automatic exploit generation is a well-known technique for reducing false alerts of static analyses by producing ready-to-use payloads without human intervention. However, due to the complexities of the JavaScript language, such as the weak type system or the over-reliance on dynamic features, automatic exploit generation saw limited adoption for code written in this language. Recent work proposes leveraging unit tests or the recent advances in fuzzing to successfully synthesize exploits automatically for JavaScript code. | Study the two assigned papers in detail to understand the challenges the JavaScript language poses for automatic exploit generation. Survey the literature for other successful applications of automatic exploit generation beyond JavaScript and discuss how easy it is to adopt each of these techniques to the web/JavaScript. Discuss the remaining open challenges, the relation to automatic testing, and the pros and cons of using machine learning in this context. |
| Phishing Detection | Giada | Phishing attacks are a significant and growing threat in cybersecurity, causing substantial harm to individuals and organizations. Reference-based phishing detectors identify phishing webpages by comparing their content to a predefined list of known brand references, such as logos and domain names. Two research papers introduce innovative solutions—DynaPhish and KnowPhish—that enhance detection by dynamically expanding brand reference lists and utilizing multimodal data, including text processed by large language models. These approaches address challenges like identifying phishing webpages targeting unknown or emerging brands and detecting brandless phishing attempts with convincing explanations. |
- Introduce and frame the problem. Be sure to present all concepts and technical elements you are going to discuss in a later paper section. Show you understand phishing attacks, also including their many facets (e.g. logo problems as highlighted in the seminar papers, possibly also other facets as e.g. multi-step attacks, different distribution vectors or evasion techniques). Finally, present a methodology of how you selected the papers you'll discuss below. (2 pages) |
| Security of Emerging JavaScript Runtimes | Abdullah | Node.js and other traditional JavaScript runtimes are exposing a large attack surface to the users. Emerging JavaScript runtimes like Bun or Deno propose several techniques to mitigate the risks of JavaScript runtimes and their engines, starting from implementing their APIs with memory-safe programming language or building more sophisticated supply chain to avoid certain attacks. Recently, researchers are investigating these emerging runtimes to see to which extend are they safer in comparison to traditional JavaScript ones and what do these emerging runtimes sacrifice to provide higher level of security. | Explain the pros and cons of Deno’s permissions system, e.g., usability vs security. Describe how Deno managed to reduce the attack surface and why it might fail against other types of attacks, e.g., against supply chain. Elaborate why decentralized supply chains would be a better alternative to the traditional supply chain, and what are the possible risks on JavaScript ecosystem. Finally, understand why Deno failed to fully prevent from prototype chain attacks and how does this vulnerability affect other runtimes (see the follow-up paper). Discuss potential ways to harden or improve emerging JavaScript runtimes by relating to prior work on engine fuzzing. |
| Web Security for Visually Impaired Users | Andrea | Visually impaired users face unique challenges when navigating web security warnings, which traditionally rely heavily on visual indicators such as color contrasts (red), iconography (riangles, exclamation marks), and spatial arrangement (e.g. at the center of the screen). These warnings are crucial for alerting users to potential phishing attacks and other security threats. However, their effectiveness is often compromised for users with visual impairments due to the reliance on visual cues. This topic will explore the existing methodologies in warning systems and discuss how these can be adapted or redesigned to improve accessibility and protection for visually impaired users. |
Assess the effectiveness and accessibility of web security warnings for visually impaired users and explore alternative mechanisms or enhancements. The paper should: - Review the limitations of current web security warnings (mostly visual). - Investigate existing research and proposed/deployed solutions for visually impaired users. - Gather recommendations for making web security warnings more inclusive, focusing on non-visual warning mechanisms that can be integrated into existing systems. |