*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Identifying and Mitigating Threats from Embedding Third-Party Content
Wei Meng
Ph.D. Candidate
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Thursday, July 20th, 2017
Time: 10 AM - 12 PM (EDT)
Location: Klaus 3126
Committee:
------------------------
Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology) Dr. Taesoo Kim (School of Computer Science, Georgia Institute of Technology) Dr. Giovanni Vigna (Department of Computer Science, University of California, Santa Barbara) Dr. Nick Feamster (Department of Computer Science, Princeton University)
Abstract
------------------------
Embedding content from third parties to enrich features is a common practice in the development of modern web applications and mobile applications. Such practices can pose serious security and privacy threats to an end user, because sensitive data about a user in an application can be directly accessed by third-party content that usually operates with the same privilege as first-party content. The confidentiality and integrity of a user’s indirect data, such as a user profile, may also be compromised by such practices.
This dissertation aims to identify new threats posed to end users by the practices of embedding third-party content and develop techniques to mitigate these threats. We first demonstrate how a malicious first-party application can either pollute or infer a user’s indirect data in a third-party service or application by embedding it, and propose defense techniques to mitigate these two new classes of threats. We then study how over-privileged third-party JavaScript code accesses a user’s direct data in a web application in general through a large-scale measurement.
This dissertation also aims to design mechanisms that enable end users and developers to limit the privilege of third-party content to prevent unintended behaviors. First, we present TrackMeOrNot, a client-side tracking control mechanism that allows end users to selectively opt out of third-party web tracking based on their demand. Second, we propose a fine-grained permission mechanism for web applications to restrict the privilege of third-party JavaScript code.
