Computer Science and
I'm a security researcher with broad interests in systems, networks, and software.
I break things, and then fix them.
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Extensions provide useful additional functionality for web browsers, but are
also an increasingly popular vector for attacks. Due to the high degree of
privilege extensions can hold, extensions have been abused to inject
advertisements into web pages that divert revenue from content publishers and
potentially expose users to malware. Users are often unaware of such practices,
believing the modifications to the page originate from publishers.
Additionally, automated identification of unwanted third-party modifications is
fundamentally difficult, as users are the ultimate arbiters of whether content
is undesired in the absence of outright malice.
To resolve this dilemma, we present a fine-grained approach to tracking the
provenance of web content at the level of individual DOM elements. In
conjunction with visual indicators, provenance information can be used to
reliably determine the source of content modifications, distinguishing
publisher content from content that originates from third parties such as
extensions. We describe a prototype implementation of the approach called
OriginTracer for Chromium, and evaluate its effectiveness, usability, and
performance overhead through a user study and automated experiments. The
results demonstrate a statistically significant improvement in the ability of
users to identify unwanted third-party content such as injected ads with modest
The lab has two papers at Financial Crypto this year:
Excision, our system for in-browser detection of malware using
inclusion sequence analysis, and CuriousDroid, our system for
intelligently exercising mobile applications to improve dynamic analysis.
Ahmet and I will be presenting CrossFire at Black Hat
Asia in Singapore in March. CrossFire is a new attack against
Firefox that leverages extension reuse to bypass the extension vetting
process, which is the main line of defense against malicious Firefox
An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages
Web applications have become an integral part of the daily lives of millions of
users. Unfortunately, web applications are also frequently targeted by
attackers, and attacks such as XSS and SQL injection are still common.
In this paper, we present an empirical study of more than 7000 input validation
vulnerabilities with the aim of gaining deeper insights into how these common
web vulnerabilities can be prevented. In particular, we focus on the
relationship between the specific programming language used to develop web
applications and the vulnerabilities that are commonly reported. Our findings
suggest that most SQL injection and a significant number of XSS vulnerabilities
can be prevented using straight-forward validation mechanisms based on common
data types. We elaborate on these common data types, and discuss how support
could be provided in web application frameworks.