593545 event 1500315142 1500315142 <![CDATA[PhD Defense by Wei Meng]]> Title: Identifying and Mitigating Threats from Embedding Third-Party Content

 

Wei Meng

Ph.D. Candidate

School of Computer Science

College of Computing

Georgia Institute of Technology

 

Date: Thursday, July 20th, 2017

Time: 10 AM - 12 PM (EDT)

Location: Klaus 3126

 

Committee:

------------------------

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Taesoo Kim (School of Computer Science, Georgia Institute of Technology) Dr. Giovanni Vigna (Department of Computer Science, University of California, Santa Barbara) Dr. Nick Feamster (Department of Computer Science, Princeton University)

 

Abstract

------------------------

Embedding content from third parties to enrich features is a common practice in the development of modern web applications and mobile applications. Such practices can pose serious security and privacy threats to an end user, because sensitive data about a user in an application can be directly accessed by third-party content that usually operates with the same privilege as first-party content. The confidentiality and integrity of a user’s indirect data, such as a user profile, may also be compromised by such practices.

 

This dissertation aims to identify new threats posed to end users by the practices of embedding third-party content and develop techniques to mitigate these threats. We first demonstrate how a malicious first-party application can either pollute or infer a user’s indirect data in a third-party service or application by embedding it, and propose defense techniques to mitigate these two new classes of threats. We then study how over-privileged third-party JavaScript code accesses a user’s direct data in a web application in general through a large-scale measurement.

 

This dissertation also aims to design mechanisms that enable end users and developers to limit the privilege of third-party content to prevent unintended behaviors. First, we present TrackMeOrNot, a client-side tracking control mechanism that allows end users to selectively opt out of third-party web tracking based on their demand. Second, we propose a fine-grained permission mechanism for web applications to restrict the privilege of third-party JavaScript code.

 

]]> <![CDATA[]]> 221981 1788 100811