Table Of ContentTOWARDS SECURE WEB BROWSING ON
MOBILE DEVICES
A Thesis
Presented to
The Academic Faculty
by
Chaitrali Vijay Amrutkar
In Partial Fulfillment
of the Requirements for the Degree
Doctor of Philosophy in
Computer Science
College of Computing
Georgia Institute of Technology
May 2014
Copyright (cid:13)c 2014 by Chaitrali Vijay Amrutkar
TOWARDS SECURE WEB BROWSING ON
MOBILE DEVICES
Approved by:
Professor Patrick Traynor, Advisor Professor Wenke Lee
College of Computing College of Computing
Georgia Institute of Technology Georgia Institute of Technology
Professor Mustaque Ahamad Dr. Shobha Venkataraman
College of Computing AT&T Labs – Research
Georgia Institute of Technology
Professor Nick Feamster Date Approved: December 3rd, 2013
College of Computing
Georgia Institute of Technology
To my parents,
Ujwala and Vijay Amritkar,
for giving their children wings to fly
iii
ACKNOWLEDGEMENTS
The PhD journey is long, strenuous and presents several hurdles along the way. For
a bird to safely reach her destination, her flying skills need to be honed. Maintaining
therightbalance, avoidingobstaclesandchangingdirectionwhennecessaryiscrucial.
I have been fortunate to have a mentor who opened and closed many doors for me
at the right time and guided me through the difficult PhD process. I thank my
advisor, Prof. Patrick Traynor for having faith in me and giving me the freedom to
explore new territories. Prof. Mustaque Ahamad was the first to hire me at Georgia
Tech as a graduate research assistant during my masters’ days. For his guidance
and continuing support through my PhD process, I thank him. More thanks to my
committee members for their valuable feedback and insights: Prof. Wenke Lee for
encouraging me to strive for the best, Dr. Shobha Venkataraman for her guidance
during and after my summer internship at AT&T labs, and Prof. Nick Feamster for
his constructive advice. Special thanks to my collaborators outside Georgia Tech,
Prof. Paul van Oorschot and Kapil Singh whose guidance helped improve my work.
A flight is more fun if taken with others who want to reach similar heights as one’s
own. I had a great team in the CISEC lab with fellow students Italo, Saurabh, Young,
Hank, David, Brad and Chaz. I will always remember the birthdays celebrated in the
lab and hope the celebrations continue. I thank everyone for making the lab a fun
place to work. I grew personally and professionally around everyone. Musheer, San-
tosh, Long, Brendan, Vijay, Bharat, and Terry made my days at GTISC memorable.
I thank you all. I also thank Alfreda and Mary Claire for being kind, and taking care
of my caffeine needs and travel reimbursements. Finally, thanks to Adam Allred for
his energetic help in increasing CISEC’s productivity.
iv
SurroundingoneselfwithfriendsandlaughteriscrucialinaPhD.Imadesomevery
close friends at Georgia Tech who became my family away from home. My roommate
Anushree is one of my closest friends today and has stood by me no matter what
the situation. I thank her for all the dance lessons, south Indian food and shopping
sprees. Joon, Srikanth, Sam, Samantha, Arpit; thank you all for the cookouts, movies
and restaurant binges. More thanks to Denise, Catherine and Samantha for being
great colleagues in organizing women@cc events. Rohit and Mihir for the fun times
during masters, Tushar and Hrushikesh for the road trips, Shauvik for the technical
talks, Gauri for making sure I eat, and John and Bertrand for the gala time at AT&T
and sharing the PhD experience since. Finally, Amruta, Sharvari and Prachi, for
being there for me for almost two deacades. I hope our childhood bonds never break.
Lastly and most importantly, the bird needed the confidence that she could fly
and that she had the freedom to travel to the place of her choice. My family has been
the most important support system through the PhD process. My parents’ love and
inspiration have been crucial during the lows as well as the highs. They have always
encouraged us children to think on our own, make our own decisions and then take
responsibility for the same, while ensuring us that they will catch us when we fall.
Going forward, I wish to be as hardworking as my dad and be able to garner the
same respect and faith from my colleagues as he garners from his. His astonishing
range of knowledge has always awed us around him. With my dad’s busy schedule,
mom held the fort at home. She juggled a hundred things at once, from looking after
finances to us kids. In many difficult situations, her positivity has kept us all going
forward. She is a strong lady and that inspires me. My brother Chaitanya is carrying
the family tradition forward in the field of medicine. His discipline, clarity in thought,
knowledge and the ability to remain calm under pressure has helped me many times
through my PhD. Thank you for frequently visiting me in the USA and bringing a
piece of home closer. Finally, my fiancè Pushkar has been a pillar of strength through
v
my PhD. His calm and humble nature, and the ability to inspire others with his own
successes have had a positive impact on me. Discussing life, work and everything
under the sun with him is exhilarating. I know that we have many many happy years
ahead of us. I consider myself fortunate to be surrounded by a loving family and
dedicate this thesis to them. My success is also theirs.
vi
TABLE OF CONTENTS
DEDICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . iv
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
I INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Dissertation Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
II RELATED WORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 Web Browser Policies and Attacks . . . . . . . . . . . . . . . . . . . 8
2.1.1 Access Control Policies . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 Attacks and Defenses . . . . . . . . . . . . . . . . . . . . . . 10
2.1.3 Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.4 Browser Kernels and Operating Systems . . . . . . . . . . . . 11
2.2 Browser Security Indicators . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.1 Ineffective Security Indicators on Desktop Browsers . . . . . 12
2.2.2 Improved Security Indicators . . . . . . . . . . . . . . . . . . 14
2.3 Malicious Webpages . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.1 DNS-based Approaches . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Content-based and In-depth Inspection Techniques . . . . . . 16
2.4 The Mobile Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.1 Native Application Security . . . . . . . . . . . . . . . . . . . 17
2.4.2 Mobile Web Security . . . . . . . . . . . . . . . . . . . . . . 18
vii
III MEASURINGSYSTEMICWEAKNESSESINMOBILEBROWSER
SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3 User Event Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.1 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . 27
3.3.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4 Boundary Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4.1 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . 34
3.4.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Top Level Frame Navigation . . . . . . . . . . . . . . . . . . . . . . 37
3.5.1 Attack and Experimental Evaluation . . . . . . . . . . . . . . 37
3.5.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.6 Discussion and Potential Solutions . . . . . . . . . . . . . . . . . . . 41
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.8 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
IV AN EMPIRICAL EVALUATION OF SSL INDICATORS IN MO-
BILE BROWSERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 Background on the W3C Recommendations . . . . . . . . . . . . . . 51
4.2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.2 W3C Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.3 Empirical Observations . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.3.1 Identity Signal: Availability . . . . . . . . . . . . . . . . . . . 58
4.3.2 Certificates: Required Content . . . . . . . . . . . . . . . . . 60
viii
4.3.3 TLS Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.3.4 Robustness: Visibility of Indicators . . . . . . . . . . . . . . 68
4.3.5 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.4 User Deception and Potential Attacks . . . . . . . . . . . . . . . . . 73
4.4.1 Deception Methods . . . . . . . . . . . . . . . . . . . . . . . 73
4.4.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.5 Additional results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.5.1 The Good . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.5.2 The Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.5.3 The Silent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.6 Discussion and Concluding Remarks . . . . . . . . . . . . . . . . . . 83
4.6.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.6.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
V KAYO:DETECTINGMOBILEMALICIOUSWEBPAGESINREAL-
TIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.3.1 kAYO Feature Set . . . . . . . . . . . . . . . . . . . . . . . . 93
5.3.2 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.4 Implementation and Evaluation . . . . . . . . . . . . . . . . . . . . 102
5.4.1 Model Selection and Implementation . . . . . . . . . . . . . . 102
5.4.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.5 Browser Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.6.1 Investigating False Positives . . . . . . . . . . . . . . . . . . 114
5.6.2 Cross-channel threats . . . . . . . . . . . . . . . . . . . . . . 115
5.6.3 Limitations and Future Work . . . . . . . . . . . . . . . . . . 116
5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ix
VI FUTURE WORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.1 Advancing Dialogue on Mobile Browser Security . . . . . . . . . . . 119
6.2 Tools for Malicious Mobile Webpage Detection . . . . . . . . . . . . 120
6.3 Hybrid Mobile Applications . . . . . . . . . . . . . . . . . . . . . . . 120
6.4 Unified Permission Systems for Mobile Web Apps . . . . . . . . . . 121
6.4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.4.2 Proposed Architecture . . . . . . . . . . . . . . . . . . . . . . 126
6.4.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
VIICONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
x
Description:committee members for their valuable feedback and insights: Prof. Wenke Lee .. V KAYO: DETECTING MOBILE MALICIOUS WEBPAGES IN REAL- . lioma ad from Google AdSense placed directly below the enticing fake .. and a rendering engine, which runs with restricted privileges in a sandbox.
