MADWeb 2020 Program

Sunday February 23  
8:00am - 7:00pm Registration
8:30am - 8:40am Welcome and Introductory Remarks
8:40am - 9:30am

Abstract: The advent of Single Sign-On (SSO) has ushered in the era of a tightly interconnected Web. Users can now effortlessly navigate the Web and obtain a personalized experience without the hassle of creating and managing accounts across different services. Due to the proliferation of SSO, user accounts in identity providers are now keys to the kingdom and pose a massive security risk. If such an account is compromised, attackers can gain control of the user’s accounts in numerous other web services. In this talk, I will present some of our research on SSO account hijacking. In this work we presented an empirical investigation of the different attacks that are facilitated (or enabled) by SSO, and highlighted the current lack of remediation mechanisms available in third parties that support SSO. I will also frame some of our findings within the seeming discrepancy between user expectations and understanding of SSO functionality, as expressed by users online after the major Facebook hack in 2018. Finally, I will discuss potential future directions and interesting questions that arise from this incident.

9:30am - 10:30am Session 1: Monsters under the Web, and how to defeat them
  Browser-Based Deep Behavioral Detection of Web Cryptomining with CoinSpy
C. Kelton, A. Balasubramanian, R. Raghavendra, M. Srivatsa
  Protecting users from compromised browsers and form grabbers
S. Almasi, W. J.Knottenbelt
10:30am - 11:00am Morning Break
11:00am - 12:30pm Session 2: The art of (self) defense
  Building robust phishing detection system:an empirical analysis
J. Lee, P. Ye, R. Liu, D. Divakaran, C. Choon
  Lessons Learned from SunDEW: A Self Defense Environment for Web Applications
M. Sahin, C. Hebert, A. De Oliveira
  A Few-Shot Practical Behavioral Biometrics Model for Login Authentication in Web Applications
J. Solano, L. Tengana, A. Castelblanco, E. Rivera, C. Lopez, M. Ochoa
12:30pm - 1:30pm Lunch
1:30pm - 3:00pm Session 3: Got Privacy?
  K-resolver: Towards Decentralizing Encrypted DNS Resolution
N.P. Hoang, I. Lin, S. Ghavamnia, M. Polychronakis
  Studying the Privacy Issues of the Incorrect Use of the Feature Policy
B. Kaleli, G. Stringhini, M. Egele
  Cross-Platform Improvement: an Adaptive Method of Browser History Sniffing
A. Huang, C. Zhu, D. Wu, Y. Xie, X. Luo
3:00pm - 3:30pm Afternoon Break
3:30pm - 4:20pm

Abstract: Advertising and content blocking is an important part of improving the privacy, performance and overall-pleasantness of the web. If you're reading this, you almost certainly have a content blocking tool installed. Popular content blocking tools rely on crowdsourced generated filter lists, and while they're demonstrably useful, they also suffer from many shortcomings: (i) they're easily circumvented, (ii) they break websites (and so are overly conservative) and (iii) rely on large numbers of users, and so do not “scale” to parts of the web with fewer users. This last shortcoming is particularly significant because people visiting non-English, non-global-language parts of the web often face higher data costs, and have lower incomes to pay for internet access.

In this talk I will present three research projects from Brave, and how we plan to improve content blocking for all web users. Brave is building the best-of-breed content blocker, both in terms of depth (i.e. blocking types of harmful behaviors other tools miss) and breath (i.e. proving high quality blocking for users under-served by existing tools).

The research projects discussed in this talk improve advertising and content blocking in three ways. First, I'll present work on identifying privacy-harming scripts, independent of the code unit they're delivered in. This approach allows us to measure how often advertisers evade existing blockers (changing URLs, mixing malicious and benign code, etc.), and to build counter measures. Second, I'll describe a ML tool for predicting whether a content blocker “breaks” a website, in the subjective evaluation of a browser user. This tool will allow Brave to block aggressively without breaking sites. Third, I'll discuss a method to programmatically generate filter lists for under-served web regions using a novel image classifier and Brave-developed system of deep browser instrumentation called PageGraph.

4:20pm - 5:20pm Session 4: Bots and Anti-bots
  Shepherd: a generic approach to automating website login
H. Jonker, S. Karsch, B. Krumnow, M. Sleegers
  FP-Crawlers: Studying the Resilience of Browser Fingerprinting to Block Crawlers
A. Vastel, W. Rudametkin, R. Rouvoy, X. Blanc
5:20pm - 5:30pm Concluding Remarks and Best Paper Award
5:30pm - 6:30pm NDSS 2020 Welcome Reception