Web-based applications executed via web browsers are ubiquitous in everyday life. They underlie our banking, communications, shopping, social networking, tax payments, insurance transactions, and health care interactions. Unfortunately, malicious actors can take advantage of vulnerabilities in web browsers to exploit the user's computer. The consequences of a web browser attack can be severe: web content can execute arbitrary code on the victim's machine. This research project studies how web applications use the features provided by web browsers and how user systems can be protected by restricting unnecessary browser features.
This project addresses web browser security by reducing the browser feature footprint, thereby reducing the browser attack surface and mitigating many classes of attacks. The researchers are building a feature-instrumented browser that reports what functionality is used by a web application. Then, they leverage that information to automatically identify when web applications diverge from their expected behavior and attack the user's browser. To enable users to use the most up-to-date browsers, while protecting them from unnecessary and risky browser features, the research team is building a system to decouple features from the browser.
