Project Name: Country by Country Twitter View
Team: Rima, Jack and Tanmay
We have updated our site with the “Status Update For The Week Ending 10/27/2013 “.
Please visit: http://twitterview.blogs.rice.edu/2013/10/27/status-update-for-the-week-ending-10272013/
Comp527 Final Project Weekly Report Oct 26 2013
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Overview
For now, our group focus on figuring out what exactly XSS is, why XSS defense is so significant and, which is more important, what kinds of challenges of XSS sanitization exist in real world industry.
Problem comes from XSS attack
XSS enables attackers to inject client-side script to Web pages viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy.
An canonical example from A Systematic Analysis of XSS Sanitization in Web Application Frameworks, consider a blogging Web application emits untrusted content on the Web page. If some developer is not careful, an attacker can use text with <script> tag, which may be verbatim in the server’s output HTML page. As the result, when a user visits this blog page, the user’s Web browser will execute the attacker’s text as script code.
XSS defense
XSS sanitization’s responsibility is to remove dangerous contents from untrusted data.
Challenges of XSS sanitization[1]
1. Context Sensitivity
Sanitization for XSS defense needs to know where untrusted contents appear in the Web application.
2. Nested Contexts
This situation occurs when a string in a Web application’s output can be parsed by multiple sub-parsers in a browser, so this kind of string is nested contexts.
3. Browser Transductions
Browsers can hand data from one sub-parser to another, this transduction can undo sanitization applied on the server.
4. Dynamic Code Evaluation
The chain of edges traversed by browser while parsing a text can be very long because the browser can dynamically evaluate code, so the untrusted content can keep looping through HTML and JavaScript contexts, the untrusted contents can not be determined statically.
5. Character-set Issues
Successfully sanitizing a string needs the sanitizer and browser have the same character-set.
6. Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement
These are related to sanitization defenses in Web frameworks, so not consider those in final project.
Reference:
[1] A Systematic Analysis of XSS Sanitization in Web Application Frameworks, Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song
If you rushed to upgrade your Mac to OS X Mavericks, congratulations — you’ve just taken a big step forward in web security. Adobe has confirmed that Flash Player is now sandboxed in Safari for Mavericks users, preventing Flash-based malware from accessing code and resources beyond Apple’s browser. The company is taking special advantage of OS X’s new app sandboxing feature, which also minimizes the security risks for other plugins and programs. Safari is undoubtedly late to the party when Flash has been sandboxed for a while in both Chrome andFirefox, but we won’t knock an upgrade that neuters many potential security exploits.
http://www.engadget.com/2013/10/24/flash-player-now-sandboxed-for-safari-users-running-os-mavericks/
To view our project update, please follow our blog: http://twitterview.blogs.rice.edu/
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Introduction
Cross-site scripting (XSS) is a major computer security violation mostly found in web applications that allows an attacker injects malicious client side scripts, thus makes an impact to server as well as to the browser of other users. For instance, if a web page provides user a textfield to input, instead of typing in “plain” strings, the attacker could input Javascripts or CSS styless or DOMs. If this textfield is without sanitization it can typically results that, an attacker could via the executable codes, gain access privileges to some secrets of the server, or other important informations maintained by the browser on behalf of other users.
Major web application framework vendors provide mechanism or requirements in their products to protect XSS. For example, JSP requires programmer to add “fn:escapeXml()” right before a string that is intended to be plain text.[1] In Spring, programmer is able to set a parameter “defaultHtmlEscape”[2]. And in Django, XSS is protected by “Auto-sanitization”[3], on which mainly our team’s research focus. explore the protection mechanism (sanitization) against XSS in Django, focusing on.
Strategy
First, we do research on analysis of XSS attacks. 2 papers from Weinberger [4][5] made very deep research on this topic, and [6] also provides good summary of existing solutions. Second, as the time limit of this project, out team will mainly focus on Django’s Auto-sanitization mechanism, with its implementation, backend support, working scope, and limitations. Third, out team will design some assistant programs or plug-ins to detect or scan possible XSS attack codes. A good open source example is in [7].
References & Links:
[1] http://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm
[3] https://docs.djangoproject.com/en/dev/topics/security/
[4] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011
[5] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11
[6] Bugeja, Joseph, “A PRAGMATIC POLICY-DRIVEN XSS PROTECTION FRAMEWORK ”, master thesis of Royal Holloway University of London, 2011
SAN FRANCISCO — Facebook Chief Executive Mark Zuckerberg came out swinging on revelations that Internet companies have been turning over users’ information to national intelligence agencies.
“Frankly, I think the government blew it,” Zuckerberg said during an onstage interview at the TechCrunch Disrupt conference in San Francisco.
His point: The U.S. government is not striking the right balance between protecting its citizens from terrorism and protecting their civil liberties.
“They blew it on communicating the balance of what they were going for with this,” Zuckerberg said.
Facebook has been reeling from damaging revelations contained in documents leaked by former national intelligence contractor Edward Snowden that the giant social network and other Internet companies allowed government agencies to tap into users’ information.
Zuckerberg denied giving the government direct access to its servers.
He said his No. 1 job is to protect his users’ personal information (a comment that drew some skeptical reactions on social media).
PHOTOS: Should you get the new iPhone? Here’s a handy smartphone guide
Facebook on Monday joined a lawsuit pressing the Obama administration to allow it to disclose more details of its forced cooperation). Google and Microsoft filed suit in June.
Zuckerberg plans to travel to Washington, D.C., next week to meet with top Republican lawmakers. The discussion is expected to include NSA leaks and privacy issues.
Zuckerberg’s remarks on the controversy surrounding the NSA leaks came at the tail end of an interview with technology blogger and investor Michael Arrington. Among the subjects Zuckerberg touched on: Bill Gates as a candidate for CEO of Microsoft (“When I was growing up, Bill Gates was my hero”), his new advocacy for immigration reform (Will it pass? “I’m an optimist,” he said), his personal goal for the year (meet at least one person who does not work at Facebook each day) and Yahoo’s new (and not well-liked) logo.
His best line came in response to the prospect of Twitter going public. Facebook, whose stock briefly hit an all-time high Wednesday, had the biggest technology offering on record in May 2012, but it went anything but smoothly.
“I’m kind of the person you would want to ask last about how to make a smooth IPO,” Zuckerberg said.
The only bit of news from the interview: Instagram is coming to the Facebook Home lock screen.
Zuckerberg said he was surprised that Facebook Home has not yet caught on.
“I definitely think Home is slower in rolling out than I would have hoped,” Zuckerberg said.
But, he added: “We are patient and still fully believe that this is something people will want over time.”
COMP 527 Final Project Research Proposal
Daniel Song and Min Hong Yun
Introduction
The primary focus of the Tizen Framework Security Analysis is to find security vulnerabilities among Tizen platform using static taint analysis. Excessive dependence on Android platform has raised an awareness among the Samsung management which led to creating their own platform ‘Tizen’. However, LiMo based Tizen smartphone OS has embraced Bada’s Open Services Platform without careful inspection of the overall merged architecture. Our goal is to find anything that violates the Tizen security policy using static taint analysis.
Background
Tizen provides API-level access control to safely operate the applications. Any applications using sensitive APIs which may lead to privacy leak must declare their ‘privilege level’ in the manifest file. There are four levels of privileges; Public, Partner, Platform, and one more that is not disclosed. (Even though Samsung developers told us that there are four levels of privileges, only three of them are revealed in the developer document.)
Tizen API Call Graph
APIs regarded as Public can be used by all Tizen application developers. APIs regarded as Partner can only be used by developers registered as partners on the Tizen store. APIs regarded as Platform are used in system APIs for managing the Tizen platform. There is total of 128 privileged APIs that can be invoked by the native application. The privileged APIs are part of the OSP (Bada’s Open Services Platform) library which eventually call C API. C API will then call libc which eventually be a system call. API call graph is directional and cannot directly call the API beneath that API call; OSP library cannot directly call libc and C API cannot call OSP library.
Bad API Call Examples
Goal
Tizen allows both web-based application and native application which can be challenging to propose one big policy that can be applied to both. For this project, we will focus on the native application. We will first migrate from the gcc compiler to the LLVM compiler for the Tizen source code to obtain LLVM bitcode. Then our static taint analysis tool developed by Jisheng Zhao for the LLVM bitcode will be used to draw the whole API graph. Finally, the whole graph API will be analyzed to find any violation in the Tizen security policy.
Reference
Group members: Zekai Gao (zg6), Chengyang Wu (cw36)
CyanogenMod Account is a new “Find My iPhone” style service created by CyanogenMod. We are going to dig into this new feature to see whether this service preserve user privacy.
Here is the link for our blogs: cmaccount.blogs.rice.edu
The proposal of our project is : http://cmaccount.blogs.rice.edu/2013/10/05/comp-527-final-project-proposal/
Here are other references:
1. http://www.cyanogenmod.org/blog/cyanogenmod-account
2. http://www.cyanogenmod.org/docs/privacy
3. https://github.com/CyanogenMod/android_packages_apps_CMAccount
Thank you.
Country-by-Country Twitter view
Rima Tanash, Jack Reed & Tanmay Thakur
Background
On January 27, 2012, Twitter announced their new “Country-Withheld Content” policy in which Twitter will withhold tweets rather than deleting them in accordance with the policy of the country from which the tweet originated. Twitter currently has the capability to block a tweet from one country while leaving it visible to others [5].
Scope
In this Project, our goal is to examine a test Twitter account to see if the home news feed displays the same tweets when viewed from different counties. In this way, we can examine to what extent content is being withheld in these countries.
Steps
Proposed steps to tackle this problem:
1) Identify countries of interest to based on the availability of PlanetLab or Tor exit nodes
Current PlanetLabs: Country
The Hebrew University of Jerusalem: Israel/Palestine
Tel Aviv Yaffo College: Israel/Palestine
Jordan University of Science and Technology: Jordan
American University in Cairo: Egypt
American University of Beirut: Lebanon
PlanetLab: India, UK
2) Create a PlanetLab account for our test
3) Create a test Twitter account and follow chatty users from target countries
4) Use some python-twitter wrapper around Twitter API (for example, https://github.com/bear/python-twitter) to write a program to fetch most recent posted public Twitter statuses of the targeted users using their Twitter “name” or “id”
5) Run the program from different parts of the world preferably using PlanetLab to fetch news feed periodically and as often as allowed by Twitter
6) Compare the results to see if there are any mismatches
Project Deliverables
1) Examine current Twitter “Country-Withheld Content” policy to understand how it works
2) Examine any available related work in the literature
3) Write a program that fetches public tweets
4) Compare output and summarize results using tables or graphs
5) Produce final written report and references
References:
[1] http://finance.fortune.cnn.com/2011/12/19/saudi-prince-deal-for-twitter-is-a-secondary/
[2] http://venturebeat.com/2012/11/05/new-twitter-policy-for-offending-tweets-withhold-instead-of-remove/
[3] http://en.wikipedia.org/wiki/Cease-and-desist
[4] http://en.wikipedia.org/wiki/Chilling_Effects
[5] https://blog.twitter.com/2012/tweets-still-must-flow
[6] http://www.freedomhouse.org/report/freedom-net/2012/jordan
[7] http://www.policymic.com/articles/13746/sopa-arab-style-jordan-websites-go-dark-to-protest-internet-censorship-bill
[8] http://www.freedomhouse.org/report/freedom-net/2012/bahrain
[9] http://www.chillingeffects.org/weather.cgi?WeatherID=784
[10] http://surveillance.rsf.org/en/bahrain/
Hi Class,
Our Main Project web page is here with Research Proposal posted.
Feel free to visit it and leave comments.
Good Luck with every group!
~ Yijie & Cen Chen