Ensuring Session Integrity in the Browser Environment

Abstract

Over the past decade, web applications have undergone a transformation from a collection of static HTML web pages to complex applications containing dynamic code and rich user interfaces. As the supporting platform for such applications, web browsers execute and manage dynamic and potentially malicious code. However, lack of protection mechanisms in the execution environment provided by web browsers has made various attacks possible that can compromise the integrity of web applications. Various existing solutions are proposed to secure web applications, but they fail to regulate the behaviors of JavaScript code, such as manipulations of the UI elements or communications with web servers. However, such behaviors are key indicators of attacks against web applications. By capturing malicious behaviors exposed by such attacks, we can robustly defeat them. Thus, in this thesis, we focus on fundamental ways to control the behaviors of untrusted code. We develop a line of novel solutions to bring necessary behavior control mechanisms into web browsers, which effectively combat threats to the integrity of web applications. This thesis proposes new solutions for extracting and controlling the behaviors of untrusted code in the execution environment. They provide an effective way to combat integrity problems in web sessions. As shown by evaluation results on detecting and preventing malicious behaviors in web sessions, this thesis shows that the behaviors of untrusted code play an important role in the development of security solutions for ensuring integrity of web sessions. Our evaluation with real-world web applications also demonstrate the practicality, effectiveness, and low-performance overhead of the proposed solutions.