Users have become more dependent on the Internet as their primary source of content, data, and software. As a result, threats such as spyware, worms, and "phishing attacks" are eroding the integrity of the Internet as well as users' confidence in their computing platforms. Our research seeks to tackle emerging systems security threats in our increasingly interconnected computing world.

Characterizing Spyware

Our NSDI 2004 paper presented the first quantitative study of the extent of the spyware threat. This study used passive network monitoring at the UW campus border routers to spot traffic associated with four specific spyware programs "phoning home." Any IP address within the campus sending such traffic must be infected with the spyware, providing us with a way of characterizing the number and nature of hosts infected with these programs.

Our NDSS 2006 paper characterizes the spyware threat from a different perspective, namely that of the Web. Using a Web crawler, we examined a large number of executable files and Web pages to look for piggy-backed spyware or drive-by download attacks. Our study revealed some startling statistics, including the fact that approximately 1 in 20 executables on the Web contain spyware. This study also examined trends over time, showing that the number of drive-by downloads has been decreasing substantially. Finally, the study examined drive-by download attacks on the Firefox browser, revealing that they exist but at a significantly lower rate than the IE browser.

Papers and press:

• A Crawler-based Study of Spyware on the Web.
  Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy.
  Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS '06), February 2006.
• Measurement and Analysis of Spyware in a University Environment.
  Stefan Saroiu, Steven D. Gribble, and Henry M. Levy.
  Proceedings of the First Symposium on Networked Systems Design and Implementation (NSDI 2004), March 2004.
• Press related to our studies: Science Daily, PhysOrg.com, LiveScience, SecurityFocus, InformationWeek, CRN, SC Magazine, Yahoo! News, Slashdot, EurekAlert.

Secure Web browsing

While early Web browsers provided simple access to static hypertext documents, modern browsers serve as de facto operating systems that must manage dynamic and potentially malicious applications. Unfortunately, browsers have not properly adapted to their new role, failing to provide adequate isolation and exposing users and Web services to attack. We have been architecting and implementing the Tahoma "browser operating system" (BOS), a trusted software layer that runs the client-side component of each Web application in its own virtual machine.Tahoma limits the harm that compromised browsers can cause, and it provides Web publishers with mechanisms to control the scope of their Web applications when executed at clients.

In another study, we explore the extent to which homograph attacks take place on the Web, and we describe the design and implementation of a system for defending against them. A homograph is a string of letters that is visually confusable with a different string of letters. A homograph attack attempts to mislead the user by presenting her with a domain name that is visually confusable with a trusted domain name.

Papers:

• SpyProxy: Execution-based Detection of Malicious Web Content.
  Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy.
  Proceedings of the 16th USENIX Security Symposium (USENIX Security 2007), Boston, MA, August 2007.

• A Safety-Oriented Platform for Web Applications.
  Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy.
  Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006.

• Cutting through the Confusion: A Measurement Study of Homograph Attacks.
  Tobias Holgers, David E. Watson, and Steven D. Gribble.
  Proceedings of the 2006 USENIX Annual Technical Conference, Boston, MA, June 2006.

Other projects

We have conducted research on a number of additional topics, including the effectiveness of worm detectors in the presence of background Internet noise, and improving the incentive-compatibility of anonymous P2P sharing systems.

Papers:

• The Limits of Global Scanning Worm Detectors in the Presence of Background Noise.
  David W. Richardson, Steven D. Gribble, and Edward D. Lazowska.
  Proceedings of the of 3rd Workshop on Rapid Malcode (WORM 2005), Fairfax, VA, November 2005.

• Dealing with Cheaters in Anonymous Peer-to-Peer Networks.
  Paul Gauthier, Brian Bershad, and Steven D. Gribble.
  University of Washington Technical Report 04-01-03, January 15, 2004.