Exploiting extensions capabilities via message passing APIs
Friday, March 22, 2019 at 15:00, Fermat F102, by Doliere Francis Some (Inria INDES)
Browser extensions are third party programs, tightly integrated to browsers, where they execute with elevated privileges in order to provide users with additional functionalities. Unlike web applications, extensions are not subject to the Same Origin Policy (SOP) and therefore can read and write user data on any web application. They also have access to sensitive user information including browsing history, bookmarks, cookies and list of installed extensions.
For security reasons, browser extensions and web applications are executed in separate contexts. Nonetheless, in all major browsers, extensions and web applications can interact by exchanging messages. Through these communication channels, a web application can exploit extension privileged capabilities and thereby access and exfiltrate sensitive user information.
In this work, we analyzed the communication interfaces exposed to web applications by Chrome, Firefox and Opera browser extensions. As a result, we identified many extensions that web applications can exploit to access privileged capabilities. Through extensions’ APIS, web applications can bypass SOP, access user cookies, browsing history, etc. Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users. We discuss countermeasures and proposals, and believe that our study and in particular the tool we used to detect and exploit these threats, can be used as part of extensions review process by browser vendors to help them identify and fix the aforementioned problems in extensions.
Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures
Friday, March 8, 2019 at 15:00, Fermat F102, by Celestin Matte (Inria INDES)
The recent spread of everyday-carried Wi-Fi-enabled devices (smartphones, tablets and wearable devices) comes with a privacy threat to their owner, and to society as a whole. These devices continuously emit signals which can be captured by a passive attacker using cheap hardware and basic knowledge. These signals contain a unique identifier, called the MAC address. To mitigate the threat, device vendors are currently deploying a countermeasure on new devices: MAC address randomization. Unfortunately, we show that this mitigation, in its current state, is insufficient to prevent tracking.
To do so, we introduce several attacks, based on the content and the timing of emitted signals. In complement, we study implementations of MAC address randomization in some recent devices, and find a number of shortcomings limiting the efficiency of these implementations at preventing device tracking. At the same time, we perform two real-world studies. The first one considers the development of actors exploiting this issue to install Wi-Fi tracking systems. We list some real-world installations and discuss their various aspects, including regulation, privacy implications, consent and public acceptance. The second one deals with the spread of MAC address randomization in the devices population.
Finally, we present two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.
Market study of Skini Sequencer
Friday, March 1, 2019 at 15:00, Fermat F102, by Arianna Corvi (Inria INDES)
Have you ever mixed the informatic language with music or ever thought about introducing a new collaborative music tool in the market? This will be the topic of the presentation you will attend on Friday: a summary of the analysis, researches, qualitative and documentary studies carried out in order to position the Skini sequencer in the market.
Tracking the Pixels: Detecting Web Trackers via Analyzing Invisible Pixels
Friday, January 18, 2019 at 15:00, Fermat F102, by Imane Fouad (Inria INDES)
Web tracking has been extensively studied over the last decade. To detect tracking, most of the research studies and user tools rely on consumer protection lists. However, there was always a suspicion that lists miss unknown trackers. In this paper, we propose an alternative solution to detect trackers by analyzing behavior of invisible pixels that are perfect suspects for tracking. By crawling 829,349 webpages, we detect that third-party invisible pixels are widely deployed: they are present on more than 83% of domains and constitute 37.22% of all third-party images. We then propose a fine-grained classification of tracking based on the analysis of invisible pixels and use this classification to detect new categories of tracking and uncover new collaborations between domains on the full dataset of 34,952,217 third-party requests. We demonstrate that two blocking strategies — based on EasyList&EasyPrivacy and on Disconnect lists — each miss 22% of the trackers that we detect. Moreover, we find that if we combine both strategies, 238,439 requests (11%) originated from 7,773 domains that still track users on 5,098 websites.
Ahead-of-time (AOT) JavaScript compilation
Friday, October 26, 2018 at 15:00, Fermat F102, by Manuel Serrano (Inria INDES)
Static compilation, a.k.a., ahead-of-time (AOT) compilation, is an alternative approach to JIT compilation that can combine good speed and lightweight memory footprint, and that can accommodate read-only memory constraints that are imposed by some devices and some operating systems. Unfortunately the highly dynamic nature of JavaScript makes it hard to compile statically and all existing AOT compilers have either gave up on good performance or full language support. We have designed and implemented an AOT compiler that aims at satisfying both. It supports full unrestricted ECMAScript 5.1 plus many ECMAScript 2017 features and the majority of benchmarks are within 50% of the performance of one of the fastest JIT compilers.
JAMScript — A Programming Framework for Cloud of Things
Friday, October 5, 2018 at 10:30, Fermat F321, by Jayanth Krishnamurthy (Inria INDES)
Cloud of Things (CoT) is a new computing paradigm that combines the widely popular Cloud computing with Internet of Things (IoT). Programming CoT brings many interesting challenges as clouds and things have varying capabilities and responsibilities. They are expected to play their predetermined roles even in the combined programming model. In a typical deployment, the Cloud is responsible for heavy data processing operations and long-term, huge data storage; while the things are responsible for sensing data and actuating the control signals from the cloud. In this talk, I present the design of a new programming paradigm, `”JAMScript”, that combines the hugely popular C and JavaScript in an unique distributed computing model that can support both parallel and concurrent computations. The objective of JAMScript is to allow the developers to exploit the heterogeneity of CoT while providing support for fault tolerance and low overhead computing. JAMScript simplifies the task of integrating legacy embedded C programs to the cloud with minimal coding efforts. This was a part of my Masters thesis work at School of Computer Science, Mcgill University, Canada.
