*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Identifying and Mitigating Threats from Embedding Third-Party Content
Wei Meng
Ph.D. student
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Thursday, December 15th, 2016
Time: 1 PM - 3 PM (EST)
Location: Klaus 3126
Committee:
------------------------
Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Giovanni Vigna (Department of Computer Science, University of California, Santa Barbara) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)
Abstract
------------------------
Embedding content from third parties to enrich features is a common practice in the development of modern web applications and mobile applications. Such practices can pose very serious security and privacy threats, because third-party content usually operates with the same privilege as first-party content and is not well isolated. Some threats are not previously known because of the uses of emerging technologies such as tracking, profiling and personalization.
This thesis has identified two new classes of threats caused by malicious first-party applications that embed third-party content, and proposed defense techniques to mitigate these threats. In particular, we show that the personalization systems of popular websites can be abused by a malicious publisher to pollute a user’s profile. In addition, we demonstrate that a malicious Android application can infer a user’s profile that is already learned by third-party ad networks.
This thesis also aims to design mechanisms that enable end-users and developers to limit the privileges of third-party content to prevent unintended behaviors. First, this thesis presents TrackMeOrNot, a client-side anti-tracking mechanism that allows end-users to selectively opt out of third-party web tracking based on their demand and cloak their privacy sensitive browsing activities. Second, we plan to design and implement a new permission mechanism for web applications to address the limitations of existing web permission mechanisms, which offer only all-or-nothing restriction.
