Towards Secure and Private Modern Web Applications
面向安全和隱私保護的現代網站應用
Student thesis: Doctoral Thesis
Author(s)
Related Research Unit(s)
Detail(s)
| Awarding Institution | |
|---|---|
| Supervisors/Advisors |
|
| Award date | 18 Mar 2021 |
Link(s)
| Permanent Link | https://scholars.cityu.edu.hk/en/theses/theses(40089cd6-fabe-4bbe-a23c-7c63c36424cf).html |
|---|---|
| Other link(s) | Links |
Abstract
Web applications play a significant role in wide areas and usually handle user private data like credentials or credit card numbers, which raises severe privacy concerns. Due to the wide ecosystem of modern web applications, private data goes through more processes, including browser extension and the middlebox. While highly beneficial, users are taking more risks of data exfiltration and vast web attacks, restricting usage scenarios. Nowadays, existing works have effectively combated various web attacks, such as SQL Injection, XSS, CSRF, etc. Nonetheless, web attackers will keep trying new strategies that fully consider every part of the web ecosystem and construct comprehensive attacks to compromise user data.
This dissertation presents practical designs and implementation to enable security and privacy on web applications from diverse perspectives of web systems. First, we adopt a novel approach to protect user secrets from malicious browser extensions, where we additionally consider the problem of privileged extensions on the side of web applications. Our proposed work is the first software-based and universal solution that empowers web application providers to restrict the privileges of malicious extensions. Second, to enable safe browsing, we present a Privacy-Preserving platform to help users identify malicious URLs during browsing. It bridges the client application that uses the service and the blacklist providers who provide unsafe URLs, with the guaranteed privacy of users and third-party blacklist providers. Third, we proposed the first secure Deep Packet Inspection system that enables the outsourced middleboxes to perform privacy-preserving inspections over encrypted traffic while providing strong protection on both packet payloads and inspection rules. Benefit from the elaborated encrypted high-performance filter, our proposed middlebox supports broad inspection rules while maintaining high throughput and low memory consumption. The line of research emphasizes the practical application for both academy and industry. Plenty of sufficient and complete evaluations illustrate that the proposed solutions would significantly advance the security and privacy of user browsing in daily life.
This dissertation presents practical designs and implementation to enable security and privacy on web applications from diverse perspectives of web systems. First, we adopt a novel approach to protect user secrets from malicious browser extensions, where we additionally consider the problem of privileged extensions on the side of web applications. Our proposed work is the first software-based and universal solution that empowers web application providers to restrict the privileges of malicious extensions. Second, to enable safe browsing, we present a Privacy-Preserving platform to help users identify malicious URLs during browsing. It bridges the client application that uses the service and the blacklist providers who provide unsafe URLs, with the guaranteed privacy of users and third-party blacklist providers. Third, we proposed the first secure Deep Packet Inspection system that enables the outsourced middleboxes to perform privacy-preserving inspections over encrypted traffic while providing strong protection on both packet payloads and inspection rules. Benefit from the elaborated encrypted high-performance filter, our proposed middlebox supports broad inspection rules while maintaining high throughput and low memory consumption. The line of research emphasizes the practical application for both academy and industry. Plenty of sufficient and complete evaluations illustrate that the proposed solutions would significantly advance the security and privacy of user browsing in daily life.
- web security, browser extension, safe browsing, outsourced middlebox
