2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

[5] CHENETTE, S. The ultimate deobfuscator. http: //securitylabs.websense.com/content/Blogs/ 3198.aspx, 2008. [6] CHUNG, Y.-J., TOYODA, M., AND KITSUREGAWA, M. Identifying spam link generators for monitoring emerging web spam. In WICOW: Proceedings of the 4th workshop on Information credibility (2010). [7] CISCO IRONPORT. IronPort Web Reputation: Protect and defend against URL-based threat. http://www.ironport.com. [8] CORTES, C., AND VAPNIK, V. Support vector networks. Machine Learning (1995), 273–297. [9] CURL LIBRARY. Free and easy-to-use client-side url transfer library. http://curl.haxx.se/, 1997. [10] DMOZ. Netscape open directory project. http://www. dmoz.org. [11] DNS-BH. Malware prevention through domain blocking. http://www.malwaredomains.com. [12] FETTE, I., SADEH, N., AND TOMASIC, A. Learning to detect phishing emails. In WWW: Proceedings of the international conference on World Wide Web (2007). [13] GARERA, S., PROVOS, N., CHEW, M., AND RUBIN, A. D. A framework for detection and measurement of phishing attacks. In WORM: Proceedings of the Workshop on Rapid Malcode (2007). [14] GEOIP API, MAXMIND. Open source APIs and database for geological information. http://www.maxmind.com. [15] GYÖNGYI, Z., AND GARCIA-MOLINA, H. Link spam alliances. In VLDB: Proceedings of the international conference on Very Large Data Bases (2005). [16] GYONGYI, Z., AND GARCIA-MOLINA, H. Web spam taxonomy, 2005. [17] HOLZ, T.,GORECKI, C., RIECK, K., AND FREILING, F. C. Detection and mitigation of fast-flux service networks. In NDSS: Proceedings of the Network and Distributed System Security Symposium (2008). [18] HOU, Y.-T., CHANG, Y., CHEN, T., LAIH, C.-S., AND CHEN, C.-M. Malicious web content detection by machine learning. Expert Systems with Applications (2010), 55–60. [19] JWSPAMSPY. E-mail spam filter for Microsoft Windows. http: //www.jwspamspy.net. [20] LEE, K., CAVERLEE, J., AND WEBB, S. Uncovering social spammers: social honeypots + machine learning. In ACM SIGIR: Proceeding of the international conference on Research and development in Information Retrieval (2010). [21] MA, J., SAUL, L. K., SAVAGE, S., AND VOELKER, G. M. Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In KDD: Proceedings of the international conference on Knowledge Discovery and Data mining (2009). [22] MA, J., SAUL, L. K., SAVAGE, S., AND VOELKER, G. M. Identifying suspicious URLs: an application of large-scale online learning. In ICML: Proceedings of the International <strong>Conference</strong> on Machine Learning (2009). [23] MCAFEE SITEADVISOR. Service for reporting the safety of web sites. http://www.siteadvisor.com/. [24] MCGRATH, D. K., AND GUPTA, M. Behind phishing: An examination of phisher modi operandi. In LEET: Proceedings of the <strong>USENIX</strong> Workshop on Large-Scale Exploits and Emergent Threats (2008). [25] MOORE, T.,CLAYTON, R., AND STERN, H. Temporal correlations between spam and phishing websites. In LEET: Proceedings of the <strong>USENIX</strong> Workshop on Large-Scale Exploits and Emergent Threats (2009). [26] MOSHCHUK, A., BRAGIN, T., DEVILLE, D., GRIBBLE, S. D., AND LEVY, H. M. Spyproxy: Execution-based detection of malicious web content. In Security: Proceedings of the <strong>USENIX</strong> Security Symposium (2007). 12 [27] NTOULAS, A., NAJORK, M., MANASSE, M., AND FETTERLY, D. Detecting spam web pages through content analysis. In WWW: Proceedings of international conference on World Wide Web (2006). [28] PALANT, W. JavaScript Deobfuscator 1.5.6. https: //addons.mozilla.org/en-US/firefox/addon/ javascript-deobfuscator/, 2011. [29] PHISHTANK. Free community site for anti-phishing service. http://www.phishtank.com/. [30] PRAKASH, P., KUMAR, M., KOMPELLA, R. R., AND GUPTA, M. PhishNet: Predictive Blacklisting to Detect Phishing Attacks. In INFOCOM: Proceedings of the IEEE <strong>Conference</strong> on Computer Communications (2010). [31] PROVOS, N., MAVROMMATIS, P.,RAJAB, M. A., AND MON- ROSE., F. All your iFRAMEs point to us. In Security: Proceedings of the <strong>USENIX</strong> Security Symposium (2008). [32] QUINLAN, J. R. C4.5: Programs for machine learning. Morgan Kaufmann Publishers (1993). [33] RAMACHANDRAN, A., AND FEAMSTER, N. Understanding the network-level behavior of spammers. In SIGCOMM (2006). [34] SHEN, G., GAO, B., LIU, T.-Y., FENG, G., SONG, S., AND LI, H. Detecting link spam using temporal information. IEEE International <strong>Conference</strong> on Data Mining 0 (2006), 1049–1053. [35] T. JOACHIMS. Making large-Scale SVM Learning Practical. Advances in Kernel Methods - Support Vector Learning, B. Scholkopf and C. Burges and A. Smola (ed.). MIT-Press (1999). [36] TREND MICRO. Web reputation query - online system. http: //reclassify.wrs.trendmicro.com/. [37] TSOUMAKAS, G., KATAKIS, I., AND VLAHAVAS, I. Mining Multi-label Data. Data Mining and Knowledge Discovery Handbook, O. Maimon, L. Rokach (Ed.), Springer, <strong>2nd</strong> edition, 2010. [38] TSOUMAKAS, G., KATAKIS, I., AND VLAHAVAS, I. Random k-labelsets for multi-label classification. IEEE Transactions on Knowledge and Data Engineering (2010). [39] WANG, Y.-M., BECK, D., JIANG, X., ROUSSEV, R., VER- BOWSKI, C., CHEN, S., AND KING, S. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In NDSS: Proceedings of the Symposium on Network and Distributed System Security (2006). [40] WHITTAKER, C., RYNER, B., AND NAZIF, M. Large-scale automatic classification of phishing pages. In NDSS: Proceedings of the Symposium on Network and Distributed System Security (2010). [41] WOT. Web of Trust community-based safe surfing tool. http: //www.mywot.com/. [42] WU, B., AND DAVISON, B. D. Cloaking and redirection: A preliminary study. In AIRWeb: Proceedings of the 1st Workshop on Adversarial Information Retrieval on the Web (2005). [43] XIANG, G., AND HONG, J. I. A hybrid phish detection approach by identity discovery and keywords retrieval. In WWW: Proceedings of the international conference on World Wide Web (2009). [44] XIE, Y., YU, F.,ACHAN, K., PANIGRAHY, R., HULTEN, G., AND OSIPKOV, I. Spamming botnets: signatures and characteristics. In SIGCOMM (2008). [45] YANG, Y. An evaluation of statistical approaches to text categorization. Journal of Information Retrieval (1999), 67–88. [46] ZHANG, J., PORRAS, P., AND ULLRICH, J. Highly predictive blacklisting. In Security: Proceedings of the <strong>USENIX</strong> Security Symposium (2008). [47] ZHANG, M.-L., AND ZHOU, Z.-H. A k-Nearest Neighbor based algorithm for multi-label classification. In IEEE International <strong>Conference</strong> on Granular Computing (2005), vol. 2. [48] ZHANG, M. L., AND ZHOU, Z. H. ML-KNN: A lazy learning approach to multi-label learning. Pattern Recognition 40, 7 (July 2007), 2038–2048. [49] ZHANG, Y., HONG, J., AND CRANOR, L. CANTINA: A content-based approach to detecting phishing web sites. In WWW: Proceedings of the international conference on World Wide Web (2007). 136 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
Maverick: Providing Web Applications with Safe and Flexible Access to Local Devices Abstract Web browsers do not yet provide Web programs with the same safe, convenient access to local devices that operating systems provide to native programs. As a result, Web programmers must either wait for the slowly evolving HTML standard to add support for the device classes they want to use, or they must use difficult to deploy browser plug-ins to add the access they need. This paper describes Maverick, a browser that provides Web applications with safe and flexible access to local devices. Maverick lets Web programmers implement USB device drivers and frameworks, like file systems or streaming video layers, using standard Web programming technologies such as HTML, JavaScript, or even code executed in a native client sandbox. These Web drivers and Web frameworks are downloaded dynamically from Web servers and executed by browsers alongside Web applications. Maverick provides Web drivers with protected access to the USB bus, and it provides Web drivers and frameworks with event-driven IPC channels to communicate with each other and with Web applications. We prototyped Maverick by modifying the Chrome Web browser and the Linux kernel. Using Maverick, we have implemented: several Web drivers, including a USB mass storage driver and a Webcam driver; several Web frameworks, including a FAT16 filesystem and a streaming video framework; and, several Web applications that exercise them. Our experiments show that Web drivers, frameworks, and applications are practical, easy to author, and have sufficient performance, even when implemented in JavaScript. 1 Introduction Web browsers do not yet provide Web programs with the same safe, convenient access to local devices that OSs provide to native programs. Digital devices like cameras, David W. Richardson and Steven D. Gribble Department of Computer Science & Engineering University of Washington printers, scanners, smartphones, and GPS trackers are increasingly pervasive, yet browsers currently provide little support to Web applications for accessing them. The support that does exist is limited to a handful of HTML tags for accessing a small number of common device classes, such as Webcams or microphones. Today, Web programmers that want to use unsupported or exotic local devices must either wait for HTML standards to evolve to include them, or they must implement, deploy, and support browser plug-ins that users may be reluctant to install. Such poor choices limit the functionality of Web applications and discourage the development and adoption of new, interesting local devices. In this paper, we describe Maverick, an experimental browser that gives Web applications safe and flexible access to local USB devices. Maverick takes the aggressive approach of removing the responsibility for managing devices and device frameworks from the host operating system and empowering the browser to execute device drivers and frameworks alongside Web applications. Specifically, instead of requiring users to install USB device drivers into their host OS, Maverick dynamically finds, downloads, and executes Web drivers that are written with standard Web programming technologies like HTML, JavaScript, or Native Client (NaCl) [24], and that directly communicate with the USB devices they drive. Similarly, instead of relying on device frameworks within the host OS, such as file systems or video frameworks, Maverick finds, downloads, and executes Web frameworks to provide Web applications with convenient high-level abstractions. Maverick permits Web applications to communicate directly with Web frameworks, which in turn communicate with Web drivers. Maverick’s approach has several advantages. Web developers can add support for new USB devices and make them immediately accessible to any Maverick user and Web application without waiting for updates to slowly moving standards bodies, browser vendors, or operating systems. Maverick also inherits many of the safety and <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 137
Page 1 and 2:
Proceedings of the 2nd</str
Page 3 and 4:
USENIX Association
Page 5:
WebApps ’11: 2nd
Page 9 and 10:
GuardRails: A Data-Centric Web Appl
Page 11 and 12:
Policy Annotation Only admins can d
Page 13 and 14:
@edit, price, false, :nothing To ma
Page 15 and 16:
tags in the Project description, bu
Page 17 and 18:
String Command Result "foobar".gsub
Page 19 and 20:
Transformation Status Homepage Logi
Page 21 and 22:
Abstract Ioannis Papagiannis Imperi
Page 23 and 24:
Num. of Occurrences Type Wordpress
Page 25 and 26:
Sanitisation htmlentities() functio
Page 27 and 28:
Original expression Transformed exp
Page 29 and 30:
non-tracking code with a simple str
Page 31 and 32:
Direct request vulnerabilities. The
Page 33 and 34:
Abstract Secure Data Preservers for
Page 35 and 36:
e found for a variety of services.
Page 37 and 38:
3.2 Operational View The lifecycle
Page 39 and 40:
it automatically). A user or servic
Page 41 and 42:
given the availability of client-si
Page 43 and 44:
can only be decrypted by the base l
Page 45 and 46:
BenchLab: An Open Testbed for Reali
Page 47 and 48:
2.2. Realistic load generation Real
Page 49 and 50:
virtual machine with the software s
Page 51 and 52:
the Olio calendaring applications (
Page 53 and 54:
able to match Firefox’s optimized
Page 55 and 56:
5.4.1. Local vs remote users We obs
Page 57 and 58:
Resource Provisioning of Web Applic
Page 59 and 60:
in a directed acyclic graph [3]. Th
Page 61 and 62:
accordingly. This is the goal of in
Page 63 and 64:
Although expressing performance pro
Page 65 and 66:
Response time (ms) Response time (m
Page 67 and 68:
Response time (ms) Response time (m
Page 69 and 70:
C3: An Experimental, Extensible, Re
Page 71 and 72:
HtmlParser CssParser IHtmlParser IC
Page 73 and 74:
node during construction. This immu
Page 75 and 76:
public interface IDOMTagFactory { I
Page 77 and 78:
3.2 JS execution Point (2): Runtime
Page 79 and 80:
Extensions IE: Available from C3-eq
Page 81:
extensions for web-scale use. The r
Page 84 and 85:
dangerous permissions. In compariso
Page 86 and 87:
Permission Popular Unpopular Plug-i
Page 88 and 89:
(a) Prevalence of Dangerous permiss
Page 90 and 91:
its functionality to the permission
Page 92 and 93:
y ACCESS COARSE LOCATION. 358 appli
Page 94 and 95: 7 Conclusion This study contributes
Page 96 and 97: 5 discusses the pros and cons of th
Page 98 and 99: the client is free to use them how
Page 100 and 101: data it uses RESTful API which in t
Page 102 and 103: On top of Django we are using a sma
Page 104 and 105: nal design. Moreover, when the whol
Page 106 and 107: [5] The spring framework. http://ww
Page 108 and 109: of strcpy can preclude the introduc
Page 110 and 111: Integer-valued Binary Stored XSS Re
Page 112 and 113: Java Perl PHP Number of programmers
Page 114 and 115: 0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117: 0 10 20 30 Number of Vulnerabilitie
Page 118 and 119: Automated black-box penetration tes
Page 121 and 122: Abstract Integrating Long Polling w
Page 123 and 124: the Web server, the framework dispa
Page 125 and 126: all() => [Record] filter(condition)
Page 127 and 128: in any future requests associated w
Page 129 and 130: ��
Page 131 and 132: quests to be put to sleep. For exam
Page 133 and 134: Abstract Detecting Malicious Web Li
Page 135 and 136: 3 Discriminative Features Our metho
Page 137 and 138: the total number of unique IPs and
Page 139 and 140: Table 8: Detection accuracy and tru
Page 141 and 142: centraldevideoscomhomensmaduros. bl
Page 143: Web content by executing the conten
Page 147 and 148: must schedule USB messages to provi
Page 149 and 150: priate Web driver. USB events sent
Page 151 and 152: hardware IDs to the browser kernel
Page 153 and 154: PhotoBooth latency JavaScript drive
Page 155 and 156: delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

Create successful ePaper yourself

Delete template?

Save as template?