Carnegie Mellon Engineering

Jackson Develops New Web-Based Security Test Suite

Collin Jackson, assistant research professor at Carnegie Mellon Silicon Valley, has developed a new web-based security test suite in collaboration with Google and UC Berkeley.


Browserscope, a community-driven project for profiling web browsers, tracks browser functionality and serves as a resource for web developers. This latest launch of a suite of security tests measure whether the browser supports JavaScript APIs that allow safe interactions between sites, and whether it follows industry best practices for blocking harmful interactions between sites.


"I'm often asked whether browsers are moving in the right direction when it comes to security. It's easy to get the impression that new browser features cause more problems than they solve, if you believe the media," said Jackson, an expert in the area of browser security and web applications. "But I think there has actually been a great deal of progress, and that far from being a catastrophic failure, the web today is a safer place to do your banking, shopping, and communicating than ever before. With the release of Browserscope security tests, we can provide a constructive metric for browser security that will change perception of web security as well as provide important information for web developers."


The initial test suite includes tests in secure cross-origin messaging, cross-site scripting mitigations, execution environment integrity, and more. Jackson and his collaborators are planning to add tests for browser encryption and clickjacking mitigations in the near future.


"Browserscope was created to foster innovation by vendors by making it easy to compare functionality across browsers. It's also a great resource for web developers who want to know which browsers can provide the functionality they need," said Jackson. "The Browserscope security tests are not there to tell you whether your browser is vulnerable to the latest buffer overflow exploit that's in the news. Rather, we're interested in long-term security improvements that can be adopted by all vendors and make the web a better platform for developing powerful web applications."


Mustafa Acer, a graduate student in software engineering at the Silicon Valley campus, is working with Jackson as part of his research assistantship program. Acer has contributed an execution environment integrity test (JSON hijacking) to the initial release, and he has also submitted the clickjacking test which will be part of the next release. "It is an exciting opportunity for me to be a part of this project and be able to contribute building a safer web platform. Every day, new security standards are proposed for vendors to adopt and we are trying to accelerate this adoption process which will have a positive impact on millions of users," Acer said. "I also found how difficult it is to write secure software that has such a large user base. There are so many ways to exploit a feature and few ways to prevent this happening without putting further restrictions on users."



Story originally published at: http://www.cmu.edu/silicon-valley/news-events/news/2009/browserscope.html.