Mitigating information manipulation

Xing, Xinyu

07 January 2016

The advent of information services introduces many advantages, for example, in trade, production and services. While making important descisons today, people increasingly rely on the information gleaned from such services. Presumably, as such, information from these services has become a target of manipulation. During the past decade, we have already observed many forms of information manipulation that misrepresents or alters reality. Some popular manipulation -- we have ever witnessed on the Internet -- include using black hat SEO techniques to drive up the ranking of a disreputable business, creating disinformative campaigns to conceal political dissidence, and employing less-than-honest product assessments to paint a rosy picture for inferior wares. Today, emerging web services and technologies greatly facilitated and enhanced people's lives. However, these innovations also enrich the arsenal of manipulators. The sheer amount of online information available today can threaten to overwhelm any user. To help ensure that users do not drown in the flood of information, modern web services are increasing relying upon personalization to improve the quality of their customers' experience. At the same time, personalization also represents new ammunition for all manipulators seeking to steer user eyeballs, regardless of their intents. In this thesis, I demonstrate a new unforeseen manipulation that exploits the mechanisms and algorithms underlying personalization. To undermine the effect of such manipulation, this thesis also introduces two effective, efficient mitigation strategies that can be applied to a number of personalization services. In addition to aforementioned personalization, increasingly prevalent browser extensions augment the ability to distort online information. In this thesis, I unveil an overlooked but widespread manipulation phenomenon in which miscreants abuse the privilege of browser extensions to tamper with the online advertisement presented to users. Considering that online advertising business is one of the primary approaches used to monetize free online services and applications available to users, and reckless ad manipulation may significantly roil advertising ecosystem, this thesis scrutinizes the potential effect of ad manipulation, and develops a technical approach to detect those browser extensions that falsify the ads presented to end users. Although the thesis merely discusses several manipulation examples in the context of the Internet, the findings and technologies presented in this thesis introduce broad impacts. First, my research findings raise Internet users' awareness about pervasive information manipulation. Second, the proposed technologies help users alleviate the pernicious effects of existing information manipulation. Finally, accompanying the findings and technologies is publicly available open-source software and tools that will help an increasing number of users battle against the growing threat of information manipulation.

Information manipulation

Information security

Personalization systems

Web browser

Securing Script-based Extensibility in Web Browsers

Djeric, Vladan

15 January 2010

Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of script extensions and control over the entire browser process. This thesis describes the pitfalls of script-based extensibility based on our study of the Firefox Web browser, and is the first to offer a classification of script-based privilege escalation vulnerabilities. We propose a taint-based system to track the spread of untrusted data in the browser and to detect the characteristic signatures of privilege escalation attacks. We show that this approach is effective by testing our system against exploits in the Firefox bug database and finding that it detects the vast majority of attacks with no false alarms.

web browser

browser extensions

privilege escalation

JavaScript

Firefox

vulnerability

0984

Securing Script-based Extensibility in Web Browsers

Djeric, Vladan

15 January 2010

Web browsers are increasingly designed to be extensible to keep up with the Web's rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of script extensions and control over the entire browser process. This thesis describes the pitfalls of script-based extensibility based on our study of the Firefox Web browser, and is the first to offer a classification of script-based privilege escalation vulnerabilities. We propose a taint-based system to track the spread of untrusted data in the browser and to detect the characteristic signatures of privilege escalation attacks. We show that this approach is effective by testing our system against exploits in the Firefox bug database and finding that it detects the vast majority of attacks with no false alarms.

web browser

browser extensions

privilege escalation

JavaScript

Firefox

vulnerability

0984

Detekce podezřelých síťových požadavků webových stránek / Detection of Suspicious Requests Made by Web Pages

Pohner, Pavel

January 2020

The purpose of this thesis is to prevent websites located in public internet from accessing user's internal network through web browser. Acquired knowdledge about modern browser's security mechanism - same-origin policy and options of implementing the web browser extensions using WebExtensions, was used in the solution. Proposed solution is based on WebRequest API, which intercepts and modifies HTTP requests, and extends functionality of existing browser extension JavaScript Restrictor with the ability to detect and prevent the browser to be abused as a proxy for scanning and accessing user's internal network. The implemented solution was tested and accepted as a part of JavaScript Restrictor. The main benefit of this thesis is the protection from possible abusement of a web browser as a proxy, which is not present in existing extensions.

Visualisering av och mätning i punktmoln : En jämförelse av fyra mjukvaror

Niklasson, Pierre, Kalén, Niclas

January 2017

In this thesis, various software for point cloud visualization has been investigated. Laser scanning is widely used to create three-dimensional models, but there is a lack of software for visualization. Point clouds usually have a large file size and need convenient methods for visualization and presentation to third parties. The development of browsers means that there are good opportunities today to visualize point clouds on web-based services. The purpose has been to investigate professional software with open source and free software in how they manage to visualize, measure and present point clouds. Details in point clouds is controlled by its point density. Higher point density will result in better details but will take longer time to scan and requires more storage space. The density of the point cloud is controlled by the requirement from the client. It is not certain that a high point density is necessary to strive for considering it will result in more data to handle. The software that has been investigated is Autodesk ReCap, Leica Truview, Pointscene and Potree, and they have all been compared to Leica Cyclone. Only three of them have been able to read the PTS-file format, while Potree and Truview have received the point cloud converted and exported to their proprietary file formats. The comparison between the softwares was mainly based on differences in length measurements, as angle and area-specific tools are not available in all softwares. The length measurements were repeated 30 times and it is the average and the uncertainty for each software that has been used in the comparison. The survey shows that there are small differences between the software except for Truview, which is the only software with significant deviations from Cyclone. There is not any significant differences in length measurements that arise when there have been conversions to Potree. Pointscene and Potree have visual similarities, Pointscene is however the preferred software because its own servers available which simplifies sharing point clouds to other users.

point cloud

web-browser

uncertainty

visualization

punktmoln

webbläsare

osäkerhet

visualisering

Other Civil Engineering

Annan samhällsbyggnadsteknik

Automatizace webového prohlížeče / Web Browser Automation

Bastl, Vojtěch

January 2019

This work deals with the automation of a web browser - the tools that allow programmatic control of the program for browsing the web pages. First, it discusses the existing solutions with focus on the tools from the Selenium Suite family and PhantomJS. Further, the internal representation of the web pages in the Gecko and WebKit browser engines is discussed. The work then focuses on the web browser application interface available for client-side scripting. The relevant standards are discussed as well. The core part of the thesis is dedicated to the design and implementation of a tool that allows to control a browser using the Selenium WebDriver tool and to extract data about the targert web page. The work presents an internal architecture, configuration files and the application interface of the designed tool. The topic of extracting detailed data about the page and its transformation to a unified structured description is covered as well. Finally, the performed unit tests and tests on real web pages are described.

Vizualizace rozsáhlých grafových dat na webu / Large Graph Data Visualisation on the Web

Jarůšek, Tomáš

January 2020

Graph databases provide a form of data storage that is fundamentally different from a relational model. The goal of this thesis is to visualize the data and determine the maximum volume that current web browsers are able to process at once. For this purpose, an interactive web application was implemented. Data are stored using the RDF (Resource Description Framework) model, which represents them as triples with a form of subject - predicate - object. Communication between this database, which runs on server and client is realized via REST API. The client itself is then implemented in JavaScript. Visualization is performed by using the HTML element canvas and can be done in different ways by applying three specially designed methods: greedy, greedy-swap and force-directed. The resulting boundaries were determined primarily by measuring time complexities of different parts and were heavily influenced by user's goals. If it is necessary to visualize as much data as possible, then 150000 triples were set to be the limiting volume. On the other hand, if the goal is maximum quality and application smoothness, then the limit doesn't exceed a few thousand.

MiniSIP as a Plug-in

Arumugam Mathivanan, Arun

January 2012

Internet telephony has rapidly becoming an integral part of life. Due to its low incremental cost and the wide availability of voice over IP (VoIP) based services these services being used by nearly everyone. Today there are many VoIP applications available in the market, but most of them lack basic security features. Because people use VoIP services via public hotspots and shared local area networks these VoIP applications are vulnerable to attacks, such as eavesdropping. Today, there is a great need for VoIP applications with high quality security. MiniSIP is an open-source VoIP application platform, initially developed at KTH. High quality security has been a major focus of MiniSIP developments by several students, including the first public implementations of the secure real-time protocol (SRTP) and the Multimedia Key Exchange (MIKEY) protocol. MiniSIP implements secure end-to-end VoIP services. In addition, MiniSIP implements features such as dynamically choosing the most appropriate CODEC during a call, implementing calling policies, etc. However, it suffers from having a complicated GUI that requires the use of many libraries, rendering it both hard to build and hard support – both of which make it unsuitable for commercial purposes. Web browser plug-ins are shared libraries that users install to extend the functionality of their browser. For example, a plug-in can be used to display content that the browser itself cannot display natively. For example, Adobe's reader plugin displays PDF files directly within the web browser. Real Network’s Streaming video player utilizes a browser plug-in to provide support for live video streaming within a web page. Adobe’s Flash player plugin is required to load or view any Flash contents – such as video or animations. The goal of this thesis project is remove the problem of the existing MiniSIP GUIs by developing a Firefox browser plug-in for the MiniSIP application that will utilize a web-browser based GUI. The prototype that will be designed, implemented, and evaluated will implement an open-source VoIP application that is easy for a Firefox browser user to install and will be easy to use via a web interface. The long term goal is to facilitate an ordinary user to utilize VoIP communication via their web browser. A secondary goal is to re-use the code within MiniSIP, while using the web-browser to provide the GUI. / Internettelefoni har snabbt blivit en integrerad del av livet. På grund av dess låga marginalkostnaden och den breda tillgången på Röst över IP (VoIP) tjänster dessa tjänster används av nästan alla. Idag finns det många VoIP-applikationer som finns på marknaden, men de flesta av dem saknar grundläggande säkerhetsfunktioner. Eftersom människor använder VoIP tjänster via offentliga hotspots och delade lokala nätverk dessa VoIP-applikationer är sårbara för attacker, såsom avlyssning. Idag finns det ett stort behov av VoIP-applikationer med hög kvalitet säkerhet. MiniSIP är ett open-source VoIP-program plattform, ursprungligen utvecklats vid KTH. Hög kvalitet säkerhet har varit ett stort fokus på MiniSIP utvecklingen genom att flera studenter, däribland de första offentliga implementeringar av den säkra realtid protokoll (SRTP) och Multimedia Key Exchange (MIKEY) protokollet. MiniSIP implementerar säker början till slut VoIP tjänster. Dessutom genomför MiniSIP funktioner som dynamiskt välja den lämpligaste CODEC under ett samtal, genomföra samtalsstrategier, osv. Men lider den från att ha en komplicerad GUI som kräver användning av många bibliotek, vilket gör det både svårt att bygga och hård stöd - som båda gör det olämpligt för kommersiella ändamål. Webbläsare plug-ins delas bibliotek som användare installerar för att utöka funktionerna i sin webbläsare. Till exempel kan en plug-in kan användas för att visa innehåll som webbläsaren inte själv kan visa inföding. Till exempel visar Adobes Reader plugin PDF-filer direkt i webbläsaren. Real Networks strömmande videospelare använder en plugin-att ge stöd för levande video strömning i en webbsida. Adobe Flash Player plugin krävs för att ladda eller visa en Flash innehåll - såsom video eller animationer. Målet med denna avhandling projektet är bort problemet med befintliga MiniSIP GUI genom att utveckla en Firefox webbläsare plug-in för att MiniSIP programmet som kommer att använda en webbläsare baserad GUI. Prototypen som kommer att utformas, genomföras och utvärderas kommer att genomföra en öppen källkod VoIP-program som är lätt för en Firefox webbläsare användaren att installera och kommer att vara lätt att använda via ett webbgränssnitt. Det långsiktiga målet är att underlätta en vanlig användare att använda VoIP-kommunikation via sin webbläsare. En sekundär målsättning är att återanvända kod i MiniSIP, medan du använder webbläsare för att ge det grafiska gränssnittet.

VoIP

MiniSIP

Firefox plugin

web-browser

VoIP

MiniSIP

Firefox plugin

webbläsare

Communication Systems

Kommunikationssystem

Vers une détection des attaques de phishing et pharming côté client / Defeating phishing and pharming attacks at the client-side

Gastellier-Prevost, Sophie

24 November 2011

Le développement de l’Internet à haut débit et l’expansion du commerce électronique ont entraîné dans leur sillage de nouvelles attaques qui connaissent un vif succès. L’une d’entre elles est particulièrement sensible dans l’esprit collectif : celle qui s’en prend directement aux portefeuilles des Internautes. Sa version la plus répandue/connue est désignée sous le terme phishing. Majoritairement véhiculée par des campagnes de spam, cette attaque vise à voler des informations confidentielles (p.ex. identifiant, mot de passe, numéro de carte bancaire) aux utilisateurs en usurpant l’identité de sites marchands et/ou bancaires. Au fur et à mesure des années, ces attaques se sont perfectionnées jusqu’à proposer des sites webs contrefaits qui visuellement - hormis l’URL visitée - imitent à la perfection les sites originaux. Par manque de vigilance, bon nombre d’utilisateurs communiquent alors - en toute confiance - des données confidentielles. Dans une première partie de cette thèse, parmi les moyens de protection/détection existants face à ces attaques, nous nous intéressons à un mécanisme facile d’accès pour l’Internaute : les barres d’outils anti-phishing, à intégrer dans le navigateur web. La détection réalisée par ces barres d’outils s’appuie sur l’utilisation de listes noires et tests heuristiques. Parmi l’ensemble des tests heuristiques utilisés (qu’ils portent sur l’URL ou le contenu de la page web), nous cherchons à évaluer leur utilité et/ou efficacité à identifier/différencier les sites légitimes des sites de phishing. Ce travail permet notamment de distinguer les heuristiques décisifs, tout en discutant de leur pérennité. Une deuxième variante moins connue de cette attaque - le pharming - peut être considérée comme une version sophistiquée du phishing. L’objectif de l’attaque reste identique, le site web visité est tout aussi ressemblant à l’original mais - a contrario du phishing - l’URL visitée est cette fois-ci elle aussi totalement identique à l’originale. Réalisées grâce à une corruption DNS amont, ces attaques ont l’avantage de ne nécessiter aucune action de communication de la part de l’attaquant : celui-ci n’a en effet qu’à attendre la visite de l’Internaute sur son site habituel. L’absence de signes "visibles" rend donc l’attaque perpétrée particulièrement efficace et redoutable, même pour un Internaute vigilant. Certes les efforts déployés côté réseau sont considérables pour répondre à cette problématique. Néanmoins, le côté client y reste encore trop exposé et vulnérable. Dans une deuxième partie de cette thèse, par le développement de deux propositions visant à s’intégrer dans le navigateur client, nous introduisons une technique de détection de ces attaques qui couple une analyse de réponses DNS à une comparaison de pages webs. Ces deux propositions s’appuient sur l’utilisation d’éléments de référence obtenus via un serveur DNS alternatif, leur principale différence résidant dans la technique de récupération de la page web de référence. Grâce à deux phases d’expérimentation, nous démontrons la viabilité du concept proposé. / The development of online transactions and "always-connected" broadband Internet access is a great improvement for Internet users, who can now benefit from easy access to many services, regardless of the time or their location. The main drawback of this new market place is to attract attackers looking for easy and rapid profits. One major threat is known as a phishing attack. By using website forgery to spoof the identity of a company that proposes financial services, phishing attacks trick Internet users into revealing confidential information (e.g. login, password, credit card number). Because most of the end-users check the legitimacy of a login website by looking at the visual aspect of the webpage displayed by the web browser - with no consideration for the visited URL or the presence and positioning of security components -, attackers capitalize on this weakness and design near-perfect copies of legitimate websites, displayed through a fraudulent URL. To attract as many victims as possible, most of the time phishing attacks are carried out through spam campaigns. One popular method for detecting phishing attacks is to integrate an anti-phishing protection into the web browser of the user (i.e. anti-phishing toolbar), which makes use of two kinds of classification methods : blacklists and heuristic tests. The first part of this thesis consists of a study of the effectiveness and the value of heuristics tests in differentiating legitimate from fraudulent websites. We conclude by identifying the decisive heuristics as well as discussing about their life span. In more sophisticated versions of phishing attacks - i.e. pharming attacks -, the threat is imperceptible to the user : the visited URL is the legitimate one and the visual aspect of the fake website is very similar to the original one. As a result, pharming attacks are particularly effective and difficult to detect. They are carried out by exploiting DNS vulnerabilities at the client-side, in the ISP (Internet Service Provider) network or at the server-side. While many efforts aim to address this problem in the ISP network and at the server-side, the client-side remains excessively exposed. In the second part of this thesis, we introduce two approaches - intended to be integrated into the client’s web browser - to detect pharming attacks at the client-side. These approaches combine both an IP address check and a webpage content analysis, performed using the information provided by multiple DNS servers. Their main difference lies in the method of retrieving the webpage which is used for the comparison. By performing two sets of experimentations, we validate our concept.

Phishing

Pharming

Heuristique

Navigateur web

DNS

Code source html

Web browser

Heuristic

The Onion Name System: Tor-Powered Distributed DNS for Tor Hidden Services

Victors, Jesse

01 May 2015

Tor hidden services are anonymous servers of unknown location and ownership who can be accessed through any Tor-enabled web browser. They have gained popularity over the years, but still suer from major usability challenges due to their cryptographicallygenerated non-memorable addresses. In response to this difficulty, in this work we introduce the Onion Name System (OnioNS), a privacy-enhanced distributed DNS that allows users to reference a hidden service by a meaningful globally-unique veriable domain name chosen by the hidden service operator. We introduce a new distributed self-healing public ledger and construct OnioNS as an optional backwards-compatible plugin for Tor on top of existing hidden service infrastructure. We simplify our design and threat model by embedding OnioNS within the Tor network and provide mechanisms for authenticated denial-of-existence with minimal networking costs. Our reference implementation demonstrates that OnioNS successfully addresses the major usability issue that has been with Tor hidden services since their introduction in 2002.

Tor-enabled web browser

privacy-enhanced distributed DNS

globally-unique verifiable domain name

Computer Sciences