DeView: Confining Progressive Web Applications by Debloating Web APIs
Pages 881 - 895
Abstract
A progressive web application (PWA) becomes an attractive option for building universal applications based on feature-rich web Application Programming Interfaces (APIs). While flexible, such vast APIs inevitably bring a significant increase in an API attack surface, which commonly corresponds to a functionality that is neither needed nor wanted by the application. A promising approach to reduce the API attack surface is software debloating, a technique wherein an unused functionality is programmatically removed from an application. Unfortunately, debloating PWAs is challenging, given the monolithic design and non-deterministic execution of a modern web browser. In this paper, we present DeView, a practical approach that reduces the attack surface of a PWA by blocking unnecessary but accessible web APIs. DeView tackles the challenges of PWA debloating by i) record-and-replay web API profiling that identifies needed web APIs on an app-by-app basis by replaying (recorded) browser interactions and ii) compiler-assisted browser debloating that eliminates the entry functions of corresponding web APIs from the mapping between web API and its entry point in a binary. Our evaluation shows the effectiveness and practicality of DeView. DeView successfully eliminates 91.8% of accessible web APIs while i) maintaining original functionalities and ii) preventing 76.3% of known exploits on average.
References
[1]
Paul Adenot and Hongchan Choi. 2020. Web Audio API. https://www.w3.org/TR/webaudio/.
[2]
Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P Kemerlis, and Georgios Portokalidis. 2019. Nibbler: debloating binary shared libraries. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC). 70–83.
[3]
Ali Alabbas and Joshua Bell. 2020. Indexed Database API 3.0. https://w3c.github.io/IndexedDB.
[4]
Abdulrahman Alqabandi. 2020. Firefox uXSS and CSS XSS. https://leucosite.com/Firefox-uXSS-and-CSS-XSS/.
[5]
Amazon. 2020. Top Sites in United States. https://www.alexa.com/topsites/countries/US.
[6]
Appscope. 2020. Appscope. https://appsco.pe.
[7]
Jake Archibald. 2019. The Service Worker Lifecycle. https://developers.google.com/web/fundamentals/primers/service-workers/lifecycle#install.
[8]
Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis. 2019. Less is More: Quantifying the Security Benefits of Debloating Web Applications. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19).
[9]
Vivek Balachandran and Sabu Emmanuel. 2013. Software protection with obfuscation and encryption. In International Conference on Information Security Practice and Experience. Springer, 309–320.
[10]
Vivek Balachandran, Sabu Emmanuel, and Ng Wee Keong. 2014. Obfuscation by code fragmentation to evade reverse engineering. In 2014 IEEE International Conference on Systems, Man, and Cybernetics (SMC). IEEE, 463–469.
[11]
Kayce Basques. 2020. Find Unused JavaScript And CSS Code With The Coverage Tab In Chrome DevTools. https://developers.google.com/web/tools/chrome-devtools/coverage.
[12]
Mihai Bazon. 2020. UglifyJS. http://lisperator.net/uglifyjs.
[13]
Bobby D Birrer, Richard A Raines, Rusty O Baldwin, Barry E Mullins, and Robert W Bennington. 2007. Program fragmentation as a metamorphic software protection. In Third International Symposium on Information Assurance and Security. IEEE, 369–374.
[14]
Lauren Bradley. 2019. Starbucks and Ipsy Win with eCommerce PWA and SPA Frontends. https://www.layer0.co/post/starbucks-ipsy-win-ecommerce-progressive-web-apps-single-page-applications.
[15]
The brave community. 2019. Spotify web player is not working any more. https://community.brave.com/t/spotify-web-player-is-not-working-any-more/75752/9.
[16]
Jan Böhmer. 2020. Crooked Style Sheets. https://github.com/jbtronics/CrookedStyleSheets.
[17]
Checkly. 2020. Headless Recorder. https://github.com/checkly/headless-recorder.
[18]
Erik Chen. 2017. Consistent Memory Metrics in Task Manager. https://docs.google.com/document/d/1PZyRzChnvkUNUB85Op46aqkFXuAGUJi751DJuB6O40g.
[19]
Yurong Chen, Tian Lan, and Guru Venkataramani. 2017. DamGate: Dynamic Adaptive Multi-feature Gating in Program Binaries. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST).
[20]
Seongje Cho, Hyeyoung Chang, and Yookun Cho. 2008. Implementation of an obfuscation tool for c/c++ source code protection on the xscale architecture. In IFIP International Workshop on Software Technolgies for Embedded and Ubiquitous Systems. Springer, 406–416.
[21]
The chrome team. 2020. Chrome Releases. https://chromereleases.googleblog.com/.
[22]
The chromium project. 2020. Chrome Platform Status. https://www.chromestatus.com/features.
[23]
The chromium project. 2020. Issue 1065761: Security: Copy & paste XSS via noscript. https://bugs.chromium.org/p/chromium/issues/detail?id=1065761.
[24]
The chromium project. 2020. MemoryInfra. https://chromium.googlesource.com/chromium/src/+/master/docs/memory-infra/README.md.
[25]
The chromium project. 2020. Web IDL Interfaces. https://www.chromium.org/developers/web-idl-interfaces.
[26]
Ian Clelland. 2020. Permissions Policy. https://www.w3.org/TR/permissions-policy-1/.
[27]
Andy Cockburn, Saul Greenberg, Bruce McKenzie, Michael Jasonsmith, and Shaun Kaasten. 1999. WebView: A graphical aid for revisiting Web pages. In Proceedings of the OZCHI Australian Conference on Human Computer Interaction.
[28]
The Mozilla community. 2020. WebIDL. https://firefox-source-docs.mozilla.org/dom/bindings/webidl/index.html.
[29]
The Mozilla community. 2022. Diagnose Firefox issues using Troubleshoot Mode. https://support.mozilla.org/en-US/kb/diagnose-firefox-issues-using-troubleshoot-mode.
[30]
The WebKit Community. 2017. WebKit IDL. https://trac.webkit.org/wiki/WebKitIDL.
[31]
MDN contributors. 2020. Introduction to web APIs. https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Client-side_web_APIs/Introduction.
[32]
MDN contributors. 2020. Web APIs. https://developer.mozilla.org/en-US/docs/Web/API.
[33]
Starbucks Corporation. 2020. Starbucks Coffee Company. https://app.starbucks.com.
[34]
Rafael Costa, Luci Pirmez, Davidson Boccardo, Luiz Fernando Rust, and Raphael Machado. 2012. TinyObf: code obfuscation framework for wireless sensor networks. In Proceedings International Conference on Wireless Networks (ICWN). 68–74.
[35]
Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser. 2006. N-Variant Systems: A Secretless Framework for Security through Diversity. In Proceedings of the 15th USENIX Security Symposium (Security). Vancouver, Canada.
[36]
Marcos Cáceres, Kenneth Rohde Christiansen, Mounir Lamouri, Anssi Kostiainen, Matt Giuca, and Aaron Gustafson. 2020. Web App Manifest. https://www.w3.org/TR/appmanifest.
[37]
Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. Sysfilter: Automated System Call Filtering for Commodity Software. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID).
[38]
Google Developers. 2020. Puppeteer. https://developers.google.com/web/tools/puppeteer.
[39]
Google Developers. 2022. Installation prompt. https://web.dev/learn/pwa/installation-prompt.
[40]
Alexis Deveria. 2020. Permissions API. https://caniuse.com/permissions-api.
[41]
OpenJS Foundation. 2020. Electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS. https://www.electronjs.org.
[42]
Kazuhide Fukushima, Shinsaku Kiyomoto, and Toshiaki Tanaka. 2009. Obfuscation mechanism in conjunction with tamper-proof module. In 2009 International Conference on Computational Science and Engineering, Vol. 2. IEEE, 665–670.
[43]
Masoud Ghaffarinia and Kevin W. Hamlen. 2019. Binary Control-Flow Trimming. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS).
[44]
Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID).
[45]
Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020. Temporal System Call Specialization for Attack Surface Reduction. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20).
[46]
Nizamettin Gok and Nitin Khanna. 2013. Building Hybrid Android Apps with Java and JavaScript. O’Reilly Media, Inc.
[47]
Reilly Grant, Ken Rockot, and Ovidio Ruiz-Henríquez. 2020. WebUSB API. https://wicg.github.io/webusb/.
[48]
Zhongshu Gu, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2014. FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine. In Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
[49]
Mike Gualtieri. 2018. Stealing Data With CSS: Attack and Defense. https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense.
[50]
Philip J. Guo and Dawson Engler. 2011. CDE: Using System Call Interposition to Automatically Create Portable Software Packages.
[51]
Kihong Heo, Woosuk Lee, Pardis Pashakhanloo, and Mayur Naik. 2018. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS).
[52]
Hemanth HM. 2020. Awesome PWA. https://github.com/hemanth/awesome-pwa.
[53]
Kjell Jørgen Hole. 2013. Diversity reduces the impact of malware. (May 2013).
[54]
E. Horton and C. Parnin. 2019. DockerizeMe: Automatic Inference of Environment Dependencies for Python Code Snippets. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).
[55]
Shohreh Hosseinzadeh, Sampsa Rauti, Samuel Laurén, Jari-Matti Mäkelä, Johannes Holvitie, Sami Hyrynsalmi, and Ville Leppänen. 2018. Diversification and obfuscation techniques for software security: A systematic literature review. Information and Software Technology 104 (2018), 72–93.
[56]
Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schecter, and Collin Jackson. 2012. Clickjacking: Attacks and Defenses. In Proceedings of the 21st USENIX Security Symposium (Security). Bellevue, WA.
[57]
Tomohiro Ikeda. 2020. XSound. https://xsound.app/.
[58]
Apple Inc.2020. WKWebView. https://developer.apple.com/documentation/webkit/wkwebview.
[59]
Absolute Markets Insights. 2019. Progressive Web Apps Market 2019 2027. https://www.absolutemarketsinsights.com/reports/Progressive-Web-Apps-Market-2019-2027-414.
[60]
jcpazos. 2018. Some blocked features still accessible. https://github.com/pes10k/web-api-manager/issues/97.
[61]
Cullen Jennings, Henrik Boström, and Jan-Ivar Bruaroey. 2020. WebRTC 1.0: Real-Time Communication Between Browsers. https://www.w3.org/TR/webrtc/.
[62]
Jun. 2017. PWA - Progressive Web Attack. https://shhnjk.blogspot.com/2017/10/pwa-progressive-web-attack.html.
[63]
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static Analysis Platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). Hong Kong.
[64]
Antoni Kepinski. 2019. How to make your Electron app faster. https://dev.to/xxczaki/how-to-make-your-electron-app-faster-4ifb.
[65]
Kirupa. 2019. Understanding WebViews. https://www.kirupa.com/apps/webview.htm.
[66]
Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis. 2019. Configuration-Driven Software Debloating. In Proceedings of the 12th European Workshop on Systems Security (EuroSec).
[67]
Hsuan-Chi Kuo, Jianyan Chen, Sibin Mohan, and Tianyin Xu. 2020. Set the Configuration for the Heart of the OS: On the Practicality of Operating System Kernel Debloating. In Proceedings of the ACM on Measurement and Analysis of Computing Systems.
[68]
Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schroder-Preikschat, Daniel Lohmann, and Rudiger Kapitza. 2013. Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[69]
Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, and Sooel Son. 2018. Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). Toronto, Canada.
[70]
Google LLC.2020. WebView for Android. https://developer.chrome.com/multidevice/webview/overview.
[71]
Kangjie Lu, Siyang Xiong, and Debin Gao. 2014. Ropsteg: program steganography with return oriented programming. In Proceedings of the 4th ACM conference on Data and application security and privacy. 265–272.
[72]
Anirban Majumdar and Clark Thomborson. 2006. Manufacturing opaque predicates in distributed systems for code obfuscation. In Proceedings of the 29th Australasian Computer Science Conference-Volume 48. Citeseer, 187–196.
[73]
marmelab. 2020. gremlins.js. https://github.com/marmelab/gremlins.js.
[74]
Cameron McCormack, Yves Lafon, and Travis Leithead. 2020. WebIDL Level 1. https://www.w3.org/TR/WebIDL/.
[75]
William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Toward Detecting andPreventing DOM Cross-Site Scripting. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[76]
Jan M Memon, Asghar Mughal, Faisal Memon, 2006. Preventing reverse engineering threat in Java using byte code obfuscation techniques. In 2006 International Conference on Emerging Technologies. IEEE, 689–694.
[77]
Shachee Mishra and Michalis Polychronakis. 2018. Shredder: Breaking Exploits through API Specialization. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC).
[78]
Shachee Mishra and Michalis Polychronakis. 2020. Saffire: Context-sensitive Function Specialization against Code Reuse Attacks. In Proceedings of the 5th IEEE European Symposium on Security and Privacy (EuroS&P).
[79]
Akito Monden, Antoine Monsifrot, and Clark Thomborson. 2003. Obfuscated instructions for software protection. Information Science Technical Report, NAIST-IS-TR2003013, Nara Institute of Science and Technology(2003).
[80]
Akito Monden, Antoine Monsifrot, and Clark Thomborson. 2004. A framework for obfuscated interpretation. In Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation-Volume 32. 7–16.
[81]
Max Moroz and Sergei Glazunov. 2019. Analysis of UXSS exploits and mitigations in Chromium. Technical Report. Google LLC.
[82]
Mozilla and individual contributors. 2020. Polyfill. https://developer.mozilla.org/en-US/docs/Glossary/Polyfill.
[83]
Mozilla and individual contributors. 2020. Standard built-in objects. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects.
[84]
Mozilla and individual contributors. 2020. Using Promises. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Using_promises.
[85]
Mozilla and individual contributors. 2020. Vendor Prefix. https://developer.mozilla.org/en-US/docs/Glossary/Vendor_Prefix.
[86]
Mozilla and individual contributors. 2022. BeforeInstallPromptEvent – Web APIs | MDN. https://developer.mozilla.org/en-US/docs/Web/API/BeforeInstallPromptEvent.
[87]
Mozilla and individual contributors. 2022. Scope – Web app manifests | MDN. https://developer.mozilla.org/en-US/docs/Web/Manifest/scope.
[88]
Collin Mulliner and Matthias Neugschwandtner. 2015. Breaking Payloads with Runtime Code Stripping and Image Freezing.
[89]
neutrinos. 2021. Progressive Web Apps vs Native Apps. https://www.goneutrinos.com/wp-content/uploads/2021/06/Whitepaper-Progressive-Web-Apps-vs-Native-Apps.pdf.
[90]
Pauli Olavi Ojala. 2017. Put your Electron app on a diet with Electrino. https://medium.com/dailyjs/put-your-electron-app-on-a-diet-with-electrino-c7ffdf1d6297.
[91]
Rasha Omar, Ahmed El-Mahdy, and Erven Rohou. 2014. Arbitrary control-flow embedding into multiple threads for obfuscation: A preliminary complexity and performance analysis. In Proceedings of the 2nd international workshop on Security in cloud computing. 51–58.
[92]
Addy Osmani. 2015. Getting started with Progressive Web Apps. https://developer.chrome.com/blog/getting-started-pwa/.
[93]
Stack Overflow. 2021. 2021 Developer Survey. https://insights.stackoverflow.com/survey/2021#most-popular-technologies-language-prof.
[94]
Arthur Poot. 2020. The state of PWA support on mobile and desktop in 2020. https://simplabs.com/blog/2020/06/10/the-state-of-pwa-support-on-mobile-and-desktop-in-2020/.
[95]
[email protected]. 2020. Great examples of progressive web apps in one room. http://progressivewebapproom.com.
[96]
Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In Proceedings of the 28th USENIX Security Symposium.
[97]
Chenxiong Qian, HyungJoon Koo, ChangSeok Oh, Taesoo Kim, and Wenke Lee. 2020. Slimium: Debloating the Chromium Browser with Feature Subsetting. In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS). Virtual Event.
[98]
Jiancheng Qin, Zhongying Bai, and Yuan Bai. 2008. Polymorphic algorithm of javascript code protection. In 2008 International Symposium on Computer Science and Computational Technology, Vol. 1. IEEE, 451–454.
[99]
Anh Quach, Aravind Prakash, and Lok Yan. 2018. Debloating Software through Piece-Wise Compilation and Loading. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 869–886.
[100]
Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick D. McDaniel. 2017. Cimplifier: automatically debloating containers. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE).
[101]
Sam Richard and Pete LePage. 2020. What makes a good Progressive Web App?https://web.dev/pwa-checklist/.
[102]
Alex Russell, Jungkee Song, Jake Archibald, and Marijn Kruisselbrink. 2020. Service Workers Nightly. https://w3c.github.io/ServiceWorker/.
[103]
Shaown Sarker, Jordan Jueckstock, and Alexandros Kapravelos. 2020. Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage. In Proceedings of the 20th ACM Internet Measurement Conference (IMC). Pittsburgh, PA.
[104]
Sebastian Schrittwieser and Stefan Katzenbeisser. 2011. Code obfuscation against static and dynamic reverse engineering. In International workshop on information hiding. Springer, 270–284.
[105]
Liang Shan and Sabu Emmanuel. 2011. Mobile agent protection with self-modifying code. Journal of Signal Processing Systems 65, 1 (2011), 105–116.
[106]
Ax Sharma. 2022. Dev corrupts NPM libs ’colors’ and ’faker’ breaking thousands of apps. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps.
[107]
Peter Snyder, Lara Ansari, Cynthia Taylor, and Chris Kanich. 2016. Browser Feature Usage on the Modern Web. In Proceedings of the 16th ACM Internet Measurement Conference (IMC). Los Angeles, CA.
[108]
Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don’t Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS).
[109]
Cybersecurity Help s.r.o.2019. Cross-site scripting in PWA for WP & AMP for WordPress. https://www.cybersecurity-help.cz/vdb/SB2019032518.
[110]
Simon Stewart and David Burns. 2020. WebDriver. https://www.w3.org/TR/webdriver/.
[111]
Naoki Takei, Takamichi Saito, Ko Takasu, and Tomotaka Yamada. 2015. Web Browser Fingerprinting Using Only Cascading Style Sheets. In 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA). 57–63.
[112]
Telegram. 2020. Telegram Web. https://webweb.telegram.org.
[113]
The terser community. 2020. JavaScript parser, mangler and compressor toolkit for ES6+. https://terser.org/.
[114]
Dan Thorp-Lancaster. 2018. Microsoft announces Teams Progressive Web App (PWA) preview for Windows 10 S. https://www.windowscentral.com/microsoft-announces-teams-progressive-web-app-pwa-preview-windows-10-s.
[115]
Common Vulnerabilities and Exposures. 2019. CVE-2019-13720. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720.
[116]
Common Vulnerabilities and Exposures. 2020. CVE-2020-6541. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6541.
[117]
Common Vulnerabilities and Exposures. 2021. CVE-2021-4079. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4079.
[118]
W3C. 2020. W3C Working Group. https://www.w3.org/groups/wg/.
[119]
Tom Warren. 2019. Microsoft has turned Outlook into a Progressive Web App. https://www.theverge.com/2019/11/26/20983886/microsoft-outlook-com-pwa-progressive-web-app-install-features.
[120]
Wikipedia. 2020. INT (x86 instruction). https://en.wikipedia.org/wiki/INT_(x86_instruction).
[121]
Wikipedia. 2020. Jaccard index. https://en.wikipedia.org/wiki/Jaccard_index).
[122]
Wikipedia. 2022. Progressive web application. https://en.wikipedia.org/wiki/Progressive_web_application#Technologies.
[123]
Wikipedia. 2022. WHATWG. https://en.wikipedia.org/wiki/WHATWG.
[124]
Shucai Xiao, Yanzhu Ye, 2009. Tamper resistance for software defined radio software. In 2009 33rd Annual IEEE International Computer Software and Applications Conference, Vol. 1. IEEE, 383–391.
[125]
Hongfa Xue, Yurong Chen, Guru Venkataramani, and Tian Lan. 2019. Hecate: Automated Customization of Program and Communication Features to Reduce Attack Surfaces. In International Conference on Security and Privacy in Communication Systems (SecureComm).
[126]
Ding Yi. 2009. A new obfuscation scheme in constructing fuzzy predicates. In 2009 WRI World Congress on Software Engineering, Vol. 4. IEEE, 379–382.
[127]
Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams. 2022. What are weak links in the NPM supply chain?. In 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).
[128]
Zhi Zhang, Yueqiang Cheng, Surya Nepal, Dongxi Liu, Qingni Shen, and Fethi Rabhi. 2018. KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses (RAID). 691–710.
Index Terms
- DeView: Confining Progressive Web Applications by Debloating Web APIs
Recommendations
Slimium: Debloating the Chromium Browser with Feature Subsetting
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityToday, a web browser plays a crucial role in offering a broad spectrum of web experiences. The most popular browser, Chromium, has become an extremely complex application to meet ever-increasing user demands, exposing unavoidably large attack vectors ...
Web APIs - challenges, design points, and research opportunities: invited talk at the 2nd international workshop on API usage and evolution (WAPI '18)
WAPI '18: Proceedings of the 2nd International Workshop on API Usage and EvolutionWeb Application Programming Interfaces (web APIs) provide programmatic, network-based access to remote data or functionalities. Applications, for example, use the Google Places API to learn about nearby establishments, use the Twitter, Instagram, or ...
Investigating Web APIs on the World Wide Web
ECOWS '10: Proceedings of the 2010 Eighth IEEE European Conference on Web ServicesThe world of services on the Web, thus far limited to "classical" Web services based on WSDL and SOAP, has been increasingly marked by the domination of Web APIs, characterised by their relative simplicity and their natural suitability for the Web. ...
Comments
Information & Contributors
Information
Published In
December 2022
1021 pages
ISBN:9781450397599
DOI:10.1145/3564625
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 December 2022
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 951Total Downloads
- Downloads (Last 12 months)706
- Downloads (Last 6 weeks)78
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in