Program Transformation for Secure and Sustainable Web Applications

Weihang Wang, Purdue University

Abstract

Web advertising is a multi-billion-dollar industry. As a primary source of income for many Internet companies, web advertising (ads) has a profound impact on the security and sustainability of today’s web ecosystem. Web advertising, however, is extremely complex and highly vulnerable to attacks. In fact, attackers using the web advertising system as a channel to spread malware has become some of today’s largest web-based attacks. To protect users from malicious advertising, we develop a memory randomization system, PAD, that effectively prevents malicious advertising (malvertising) attacks exploiting zero-day vulnerabilities. To reduce the risk of malicious ads and remove unwanted ads, recent studies show a rapidly increasing number of web users are using ad blockers to block online advertisements. In the long run, blocking ads will devastate the entire web ecosystem by destroying the business model on which many Internet companies rely. To support a sustainable web ecosystem, we develop WebRanz, a web page randomization technique for circumventing ad blocking software to retain publishers’ ad revenue. WebRanz is able to circumvent the state-of-the-art ad blockers on a large number of popular websites while faithfully retaining the appearances and functionalities of these websites. In addition, modern browsers have a highly concurrent page rendering process in order to be more responsive. Such concurrent execution models frequently lead to web concurrency bugs. These bugs can cause severe problems including permanent data corruption on servers, denial of service, privilege escalation, etc. To solve the various concurrency issues on the web, we introduce an innovative scheme, ARROW, that leverages constraint-solving to fix real-world concurrency bugs in a safe and cost-effective fashion.

Degree

Ph.D.

Advisors

Eugster, Purdue University.

Subject Area

Computer science

COinS