While web pages sent over HTTP have no integrity guarantees, it is commonly assumed that such pages are not modified in transit. In this paper, we provide evidence of surprisingly widespread and diverse changes made to web pages between the server and client. Over 1% of web clients in our study received altered pages, and we show that these changes often have undesirable consequences for web publishers or end users. Such changes include popup blocking scripts inserted by client software, advertisements injected by ISPs, and even malicious code likely inserted by malware using ARP poisoning. Additionally, we find that changes introduced by client software can inadvertently cause harm, such as introducing cross-site scripting vulnerabilities into most pages a client visits. To help publishers understand and react appropriately to such changes, we introduce web tripwires---client-side JavaScript code that can detect most in-flight modifications to a web page. We discuss several web tripwire designs intended to provide basic integrity checks for web servers. We show that they are more flexible and less expensive than switching to HTTPS and do not require changes to current browsers.

Web content is migrating away from simple hyperlinked documents towards a diverse set of programs that execute within the web browser. Unfortunately, modern browsers do not provide a safe environment for running these web programs. In this paper, we show how current web security threats are symptoms of four key problems in supporting web programs: vague program boundaries, unwanted code, poor isolation, and inconsistent security policies. In response, we introduce abstractions for web programs and program instances, and we present a set of architectural principles to address these fundamental problems.

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [Wang et al. 2004]. In this article, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in Web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at runtime. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at runtime. The rewritten pages contain logic for recursively applying runtime checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a general framework that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized runtime actions like vulnerability-driven filtering. We also explore other applications on top of BrowserShield.

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerability-driven filtering.

We present practical models for the physical layer behaviors of packet reception and carrier sense with interference in static wireless networks. These models use measurements of a real network rather than abstract RF propagation models as the basis for accuracy in complex environments. Seeding our models requires N trials in an N node network, in which each sender transmits in turn and receivers measure RSSI values and packet counts, both of which are easily obtainable. The models then predict packet delivery and throughput in the same network for different sets of transmitters with the same node placements. We evaluate our models for the base case of two senders that broadcast packets simultaneously. We find that they are effective at predicting when there will be significant interference effects. Across many predictions, we obtain an RMS error for 802.11a and 802.11b of a half and a third, respectively, of a measurement-based model that ignores interference.

We analyze wireless measurements taken during the SIGCOMM 2004 conference to understand how well 802.11 operates in real deployments. We find that the overhead of 802.11 is high, with only 40% of the transmission time spent in sending original data. Most of the remaining time is consumed by retransmissions due to packet losses that are caused by both contention and transmission errors. Our analysis also shows that wireless nodes adapt their transmission rates with an extremely high frequency. We comment on the difficulties and opportunities of working with wireless traces, rather than the wired traces of wireless activity that are presently more common.

Web content now includes programs that are executed directly within a web browser. Executable content, though, creates new reliability problems for users who rely on the browser to provide program services typical of operating systems. In particular, we find that the runtime environments of current browsers poorly isolate applications from one another. As a result, one web application executing within the browser can interfere with others, whether it be through an explicit failure or the excessive consumption of resources. Our goal is to make the browser a safe environment for running programs by introducing an isolation mechanism that insulates one application from the behavior of another. We show how to use OS processes within the browser to safely isolate programs in a way that is both efficient and backwards compatible with existing web sites.

Despite their popularity, modern web browsers do not offer a secure or robust environment for interacting with untrusted content. Today's web users face a variety of threats, including exploits of browser vulnerabilities, interference between web sites, script injection attacks, and abuse of authentication credentials. To address these threats, I leverage an analogy between operating systems and web browsers, as both must run independent programs from multiple sources. My hypothesis is that mechanisms from OS research can improve the security and robustness of modern web browsers. In this report, I propose abstractions and mechanisms to isolate independent web content within the browser, and I propose two separate interposition techniques to support flexible security policies. Combined, these contributions can improve the safety of web browsers, while preserving backwards compatibility and imposing low overhead.

Existing work on understanding 802.11 wireless network behavior has been largely unsatisfactory for practical settings. Widely used simulators rely on unrealistic assumptions about signal propagation, while more detailed radio models are too complex to configure for predicting performance of an actual wireless system. To gain a more accurate understanding of wireless behavior in practice, we use experimentation on a wireless testbed and in controlled settings to effectively characterize packet delivery. We contribute a simple measurement-based model of wireless behavior, supported by empirical observations of relevant physical effects. Our model and observations can be used directly for designing and improving wireless protocols and systems in practice.