Enhancing web security for everyday users
Cyberattacks represent a violation of human rights that can result in devastating consequences for individuals and society. “Attacks include ransomware that demands payment from users and organisations,” says Browsec project coordinator Matteo Maffei from TU Wien in Austria. “Cyberattacks also target critical infrastructure, while deepfakes that use artificial intelligence to impersonate individuals can deceive victims.” Cyberattackers often take advantage of our extensive use of web browsers. As these browsers evolve, they inevitably become vulnerable to security-critical bugs that can be difficult to detect. “In addition, the security standards built into modern browsers are not fully understood,” adds Maffei. “Cyberattacks try to exploit not just coding bugs but also logical flaws within web standards themselves.”
Browser extensions and code verification techniques
The goal of the European Research Council funded Browsec project was to address these critical issues. This was achieved first by securing the browser’s code and, more importantly, by ensuring that web security standards provide developers and users with rigorous security guarantees. “Our research was built on three fundamental pillars,” explains Maffei. “First, we developed a formal model that defines browser behaviour and interactions with potentially adversarial websites and servers.” This model enabled the team to conduct rigorous tests, uncovering unexpected interactions and revealing potential vulnerabilities. “Second, we recognised that maintaining up-to-date browsers is a significant challenge,” remarks Maffei. “To address this, we created an automated technique to formalise browser behaviour. This was repurposed for security analysis.” The team next developed browser extensions and code verification techniques, designed to collectively enforce rigorous security guarantees in web applications.
Web standards and modern browser security
Browsec has made a significant contribution to web standards and modern browser security. For a start, vulnerabilities discovered through the course of the project have since been disclosed and addressed. “Some of these vulnerabilities stemmed from conceptual issues in web development frameworks used to build nearly all web applications,” adds Maffei. “Thanks to our work, these issues have been resolved.” The team also uncovered various inconsistencies and flaws in web standards, which have been reported to standardisation bodies. Finally, the project’s browser security analysis framework can serve as a solid foundation for studying the security implications of future browser updates.
Web security by design
Thanks to Browsec, web developers now have access to libraries that enable them to write more secure code. Vendors have a framework for testing not only the functionality but also the security of their browsers. Moreover, standardisation bodies now have a framework for formally assessing the security of web standards. “In this way, Browsec has had a profound impact on the security of the entire digital society,” notes Maffei. “Our analysis framework will be updated to keep pace with changes, and we also aim to achieve closer integration with the standardisation process.” For Maffei, a key lesson – and lasting legacy of Browsec – is that formal methods are an effective and practical tool for ensuring web security. “The methods we developed have proven successful not only in identifying bugs but also in influencing the standardisation process,” he says. “This has brought the concept of ‘web security by design’ closer to reality.”
Keywords
Browsec, cyberattacks, digital, web browser, ransomware, deepfakes
