Oleksii Starov

Integrated TaaS platform for mobile development: architecture solutions

This paper examines the Testing-as-a-Service (TaaS) solutions in mobile development and proposes a universal TaaS platform: Cloud Testing of Mobile Systems (CTOMS). CTOMS is an integrated solution with a core infrastructure that enables the scaling of additional functionalities. The CTOMSs benefits are explained, the architecture of the system is described in detail, and technical solutions are listed based on the feasibility study that resulted in creation of the first version of CTOMS for Android development.

Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions

Users have come to rely on browser extensions to realize features that are not implemented by browser vendors. Extensions offer users the ability to, among others, block ads, de-clutter websites, enrich pages with third-party content, and take screenshots. At the same time, because of their privileged position inside a users browser, extensions have access to content and functionality that is not available to webpages, such as, the ability to conduct and read cross-origin requests, as well as get access to a browsers history and cookie jar. In this paper, we report on the first large-scale study of privacy leakage enabled by extensions. By using dynamic analysis and simulated user interactions, we investigate the leaking happening by the 10,000 most popular browser extensions of Google Chrome and find that a non-negligible fraction leaks sensitive information about the users browsing habits, such as, their browsing history and search-engine queries. We identify common ways that extensions use to obfuscate this leakage and discover that, while some leakage happens on purpose, a large fraction of it is accidental because of the way that extensions attempt to introduce third-party content to a pages DOM. To counter the inference of a users interests and private information enabled by this leakage, we design, implement, and evaluate BrowsingFog, a browser extension that automatically browses the web in a way that conceals a users true interests, from a vantage point of history-stealing, third-party trackers.

Evaluation of t-wise Approach for Testing Logical Expressions in Software

Pair-wise and, more generally, t-wise testing are the most common and powerful combinatorial testing approaches. This paper investigates the effectiveness of the t-wise approach for testing logical expressions in software in terms of its fault detecting capabilities. Effectiveness is evaluated experimentally using special software tools for generating logical expressions and t-wise test cases, simulating faults in expressions, testing faulty expressions, and evaluating effectiveness of the testing. T-wise testing effectiveness is measured in its totality and for specific types of faults; it is then compared with random testing. A detailed analysis of the experimental results is also provided.

No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells

Web shells are malicious scripts that attackers upload to a compromised web server in order to remotely execute arbitrary commands, maintain their access, and elevate their privileges. Despite their high prevalence in practice and heavy involvement in security breaches, web shells have never been the direct subject of any study. In contrast, web shells have been treated as malicious blackboxes that need to be detected and removed, rather than malicious pieces of software that need to be analyzed and, in detail, understood. In this paper, we report on the first comprehensive study of web shells. By utilizing different static and dynamic analysis methods, we discover and quantify the visible and invisible features offered by popular malicious shells, and we discuss how attackers can take advantage of these features. For visible features, we find the presence of password bruteforcers, SQL database clients, portscanners, and checks for the presence of security software installed on the compromised server. In terms of invisible features, we find that about half of the analyzed shells contain an authentication mechanism, but this mechanism can be bypassed in a third of the cases. Furthermore, we find that about a third of the analyzed shells perform homephoning, i.e., the shells, upon execution, surreptitiously communicate to various third parties with the intent of revealing the location of new shell installations. By setting up honeypots, we quantify the number of third-party attackers benefiting from shell installations and show how an attacker, by merely registering the appropriate domains, can completely take over all installations of specific vulnerable shells.

Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms

Abstract The majority of commercial websites provide users the ability to contact them via dedicated contact pages. In these pages, users are typically requested to provide their names, email addresses, and reason for contacting the website. This effectively makes contact pages a gateway from being anonymous or pseudonymous, i.e., identified via stateful and stateless identifiers, to being eponymous. As such, the environment where users provide their personally identifiable information (PII) has to be trusted and free from intentional and unintentional information leaks. In this paper, we report on the first large-scale study of PII leakage via contact pages of the 100,000 most popular sites of the web. We develop a reliable methodology for identifying and interacting with contact forms as well as techniques that allow us to discover the leakage of PII towards thirdparties, even when that information is obfuscated. Using these methods, we witness the leakage of PII towards third-parties in a wide range of ways, including the leakage through third-party form submissions, third-party scripts that collect PII information from a first-party page, and unintended leakage through a browser’s Referer header. To recover the lost control of users over their PII, we design and develop Formlock, a browser extension that warns the user when contact forms are using PII-leaking practices, and provides the ability to comprehensively lock-down a form so that a user’s details cannot be, neither accidentally, nor intentionally, leaked to third parties

Testing-as-a-Service for Mobile Applications: State-of-the-Art Survey

The paper provides an introduction to the main challenges in mobile applications testing. In the paper we investigate the state-of-the-art mobile testing technologies and overview related research works in the area. We discuss general questions of cloud testing and examine a set of existing cloud services and testing-as-a-service resources facilitating testing of mobile applications and covering a large range of the specific mobile testing features.

PrivacyMeter: Designing and Developing a Privacy-Preserving Browser Extension.

Anti-tracking browser extensions are popular among web users since they provide them with the ability to limit the number of trackers who get to learn about their browsing habits. These extensions however are limited in that they ignore other privacy signals, such as, the presence of a privacy policy, use of HTTPS, or presence of insecure web forms that can leak PII. To effectively inform users about the privacy consequences of visiting particular websites, we design, implement, and evaluate PrivacyMeter, a browser extension that, on-the-fly, computes a relative privacy score for any website that a user is visiting. This score is computed based on each website’s privacy practices and how these compare to the privacy practices of other pre-analyzed websites. We report on the development of PrivacyMeter with respect to the requirements for coverage of privacy practices, accuracy of measurement, and low performance overhead. We show how relative privacy scores help in interpreting results as different categories of websites have different standards across the monitored privacy parameters. Finally, we discuss the power of crowdsourcing for privacy research, and the existing challenges of properly incorporating crowdsourcing in a way that protects user anonymity while allowing the service to defend against malicious clients.

Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers

Much of recent research on mobile security has focused on malicious applications. Although mobile devices have powerful browsers that are commonly used by users and are vulnerable to at least as many attacks as their desktop counterparts, mobile web security has not received the attention that it deserves from the community. In particular, there is no longitudinal study that investigates the evolution of mobile browser vulnerabilities over the diverse set of browsers that are available out there. In this paper, we undertake the first such study, focusing on UI vulnerabilities among mobile browsers. We investigate and quantify vulnerabilities to 27 UI-related attacks---compiled from previous work and augmented with new variations of our own---across 128 browser families and 2,324 individual browser versions spanning a period of more than 5 years. In the process, we collect an extensive dataset of browser versions, old and new, from multiple sources. We also design and implement a browser-agnostic testing framework, called Hindsight, to automatically expose browsers to attacks and evaluate their vulnerabilities. We use Hindsight to conduct the tens of thousands of individual attacks that were needed for this study. We discover that 98.6% of the tested browsers are vulnerable to at least one of our attacks and that the average mobile web browser is becoming less secure with each passing year. Overall, our findings support the conclusion that mobile web security has been ignored by the community and must receive more attention.

Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics

To better understand the demographics of their visitors and their paths through their websites, the vast majority of modern website owners make use of third-party analytics platforms, such as, Google Analytics and ClickTale. Given that all the clients of a third-party analytics platform report to the same server, the tracking requests need to contain identifiers that allow the analytics server to differentiate between their clients. In this paper, we analyze the analytics identifiers utilized by eighteen different third-party analytics platforms and show that these identifiers enable the clustering of seemingly unrelated websites as part of a common third-party analytics account (i.e. websites whose analytics are managed by a single person or team). We focus our attention on malicious websites that also utilize third-party web analytics and show that threat analysts can utilize web analytics to both discover previously unknown malicious pages in a threat-agnostic fashion, as well as to cluster malicious websites into campaigns. We build a system for automatically identifying, isolating, and querying analytics identifiers from malicious pages and use it to discover an additional 11K live domains that use analytics associated with malicious pages. We show how our system can be used to improve the coverage of existing blacklists, discover previously unknown phishing campaigns, identify malicious binaries and Android apps, and even aid in attribution of malicious domains with protected WHOIS information.