Mike Ter Louw scite author profile

Mike Ter Louw

5Publications

98Citation Statements Received

32Citation Statements Given

How they've been cited

234

How they cite others

Affiliations

Luna Innovations (United States), University of Illinois at Chicago, University of Illinois System

Publications

Order By: Most citations

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Louw

Venkatakrishnan

2009

139

View full text Add to dashboard Cite

As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called BLUEPRINT that was integrated with several popular web applications. We evaluated BLUEPRINT against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.

show abstract

Enhancing web browser security against malware extensions

2008

View full text Add to dashboard Cite

In this paper we examine security issues of functionality extension mechanisms supported by web browsers. Extensions (or "plug-ins") in modern web browsers enjoy unrestrained access at all times and thus are attractive vectors for malware. To solidify the claim, we take on the role of malware writers looking to assume control of a user's browser space. We have taken advantage of the lack of security mechanisms for browser extensions and implemented a malware application for the popular Firefox web browser, which we call browserSpy, that requires no special privileges to be installed. browserSpy takes complete control of the user's browser space, can observe all activity performed through the browser and is undetectable. We then adopt the role of defenders to discuss defense strategies against such malware. Our primary contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. We describe two implementations of this mechanism: a drop-in solution that employs JavaScript and a faster, in-browser solution that makes uses of the browser's native cryptography implementation. We also discuss techniques for runtime monitoring of extension behavior to provide a foundation for defending threats posed by installed extensions.

show abstract

Extensible Web Browser Security

Louw

Lim

Venkatakrishnan

2007

View full text Add to dashboard Cite

In this paper we examine the security issues in functionality extension mechanisms supported by web browsers. Extensions (or "plug-ins") in modern web browsers enjoy unlimited power without restraint and thus are attractive vectors for malware. To solidify the claim, we take on the role of malware writers looking to assume control of a user's browser space. We have taken advantage of the lack of security mechanisms for browser extensions and have implemented a piece of malware for the popular Firefox web browser, which we call BROWSER-SPY, that requires no special privileges to be installed. Once installed, BROWSER-SPY takes complete control of a user's browser space and can observe all the activity performed through the browser while being undetectable. We then adopt the role of defenders to discuss defense strategies against such malware. Our primary contribution is a mechanism that uses code integrity checking techniques to control the extension installation and loading process. We also discuss techniques for runtime monitoring of extension behavior that provide a foundation for defending threats due to installed extensions.

show abstract

WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper)

Venkatakrishnan

Bisht

Louw

et al. 2010

View full text Add to dashboard Cite

SafeScript: JavaScript Transformation for Policy Enforcement

Louw

Phung

Krishnamurti

et al. 2013

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Mike Ter Louw

Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Enhancing web browser security against malware extensions

Extensible Web Browser Security

WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper)

SafeScript: JavaScript Transformation for Policy Enforcement

Contact Info

Product

Resources

About