Security and Privacy Policy Bugs in Browser Engines
🐛 PhD defence of Gertjan Franken

On Tuesday 13th of February 2024, I will publicly defend my PhD thesis at 16:00 in Arenberg Castle, Heverlee.
You are most welcome to attend the defence and the reception afterwards!

Registration

Please register your attendance by February 6th, here. You can also use this form to indicate whether you would like to receive a printed copy of my dissertation.

For those unable to attend in person, a livestream will be made available here. Please note that this livestream will be managed on a best effort basis :-)

Practical

The defence will take place in the auditorium located on the first floor of Arenberg Castle (01.07).

Convenient parking is available at Parking Kapeldreef, from which Arenberg Castle is only a 10-minute walk away.
You can enter the parking lot with access code 85959#.

Thesis and slides

Cover of my dissertation
Title slide of my phd defence

Abstract

The World Wide Web has become an indispensable part of our daily lives, with web browsers serving as our gateway to a vast array of information and services. However, with each click of the mouse, we expose ourselves to a myriad of attacks and privacy violations. Although we can rely on various client-side countermeasures to protect us, defined by so-called browser policies, any flaw in their implementation could render these safeguards futile. Unfortunately, a comprehensive and flawless policy implementation is anything but straightforward, due to the intricate nature of browser code bases.

In this dissertation, we address this struggle through the application of automated dynamic analyses to various browser policy implementations. As such, we conducted a comprehensive evaluation of enforced cookie and request blocking policies, revealing numerous bypasses and vulnerabilities, illustrating that even seemingly simple policies are susceptible to implementation flaws. To gain deeper insights into the origins of these flaws, we pinpointed and analyzed the lifecycles of 75 bugs associated with one of the most important browser policies: the Content Security Policy. Drawing from the empirical data, we uncovered various root causes, including the dispersion of policy enforcing code and the mishandling of bug reports, where sensitive bugs were even publicly disclosed before a fix was landed.

Additionally, we show that these security and privacy issues extend beyond the realm of web browsers alone and also affect native applications that embed browser engines, such as EPUB reading systems. By analyzing 97 EPUB applications, we uncovered many vulnerabilities, including the ability for loaded EPUBs to leak files from the user's device. Furthermore, we demonstrate that malicious EPUBs can be distributed through official web stores with minimal effort. Our responsible disclosure to the affected vendors and developers, our contributions to the W3C compliance testbed, and the identification of several specification shortcomings have bolstered the ecosystem's security.