As the Web is playing a more and more important role in our lives, it has become criminals' preferred targets. Web-based vulnerabilities now outnumber traditional computer security concerns. We believe that the root cause of many of these attacks is the Web's current access control models: they are fundamentally inadequate to satisfy the protection needs of today's web.
The objective of this project is to re-design the access control models for the Web to fix the security problems at the fundamental level. We target two essential components of the Web infrastructure: browser and database. We have designed a generic access control model for web browsers to enforce the browser-side access control needs of web applications. The model replaces the web's current Same Origin Policy (SOP) model, which is the culprit of many of the security problems. The success of this task will help significantly reduce the number of security problems at the browser side. We have also designed DAC-DB, a Discretionary Access Control (DAC) model for database to automate the enforcement of DAC in web applications. With this model, web application developers can be liberated from implementing the complicated and error-prone security enforcement logics. Both access control models are designed based on the well-established security principles. To help disseminate our results, we will implement our designs for open-source web browsers and databases, and persuade the web community to adopt our models. The outcome of this research will also be converted to hands-on labs to enhance students' learning in system security.
The main objective of this project is to improve the access control of the Web, in both traditional and mobile platforms. In the traditional platform, we have made the following discoveries. First, we linked many of the common security flaws made by web application developers to the stateless nature of the web, i.e., the design of the web architecture actually made it more difficult to develop secure code. That's why there are more vulnerabilities in web applications than those in the traditional applications. Second, based on this understanding, we have proposed and developed more effective access control systems for the web system, including browser and server. Through our evaluation, we have demonstrated that the number of security flaws will significantly drop if the web had adopted such an access control system. In the mobile platforms, people browse the Web mostly through dedicated mobile applications, instead of using browsers. This drastic difference (from the traditional platform) is enabled by mobile OS's decision to integrate the web browsing functionalities into mobile apps. We are the first group to study the security risks of such an app-web integration; we have identified several significant security problems through systematic studies. Our discoveries pointed out that in order to enable the seamless integration, some of the important security features implemented by the traditional browsers are weakened unintentionally. This could lead to severe problems in the future. The discovery was reported to Google, which, as results, provides us with a small gift grant to continue the research. Some of the decisions made by the later versions of Android are influenced by this work. The paper of this work is also frequently downloaded and cited by other researchers. Although the above discovery sounds severe when it was reported, the evidences were not sufficient to show that the potential problems were real; it was just a scientific prediction. Two years later, our prediction comes true. A new type of apps, called HTML5-based apps, are using the app-web integration feature, without realizing the weakened security feature. This type of apps are becoming more and more popular due to their portability advantages. Unfortunately, due to the weakening of the security features in the app-web integration, these apps, as we have discovered, are subject to a new type of code-injection attacks. The severe consequence is that if an app simply scans a QR code, reads an SMS message, plays MP3 songs or MP4 videos, or just looks for free Wi-Fi access points, they can be attacked. We have found over 400 vulnerable apps from our collection of 17,000 apps. To reach out to app developers as broadly as we can, in addition to the conventional academic venues, we, teaming up with the news media specialists in our university, reported our story to news media. Our story were successfully picked up by a number of news channels, potentially reaching out to many app developers. We have also developed countermeasures for the above problem, and made them freely available to developers. We have reached out to those who develop the frameworks for the HTML5-based apps, offering them the suggestions and patches to improve their frameworks against the attacks. In order to provide research training to undergraduate students, the project involved 5 undergraduate students in its life time, two of which are from under-represented minority groups. Three students plan to pursue a graduate degree due to their experiences in this project. The work produced by this research has been integrated to the Computer Security course that the PI has been teaching, potentially benefiting many students in the years to come. The PI also developed hands-on lab exercises based on the work from this project, and these labs are being used by the instructors from many other schools.
