Advertisement

wraudit: A Tool to Transparently Monitor Web Resources’ Integrity

  • David SalvadorEmail author
  • Jordi CucurullEmail author
  • Pau JuliàEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11308)

Abstract

JavaScript has become the language of reference for programming the client-side logics of web-applications. However, there is no native full support to protect the integrity of this code from modifications conducted by the server where it is hosted. Many election applications, including internet voting solutions, are based on this language. Thus, if the server that hosts the code is compromised, a modified version of the code could be served and some election security properties affected, e.g. voter privacy, vote integrity, and so on. Furthermore, the usage of a Content Delivery Network (CDN) to mitigate Distributed Denial-of-Service (DDoS) attacks on internet voting solutions has been called into question for similar reasons. A malicious administrator of the hosting provider could have the opportunity to modify JavaScript files affecting the web application’s code integrity. In order to tackle this problem, in this article we propose a solution that mitigates those risks by using a service called wraudit that transparently monitors the integrity of the published code. The service design and implementation are presented and the first insights from our experience using it are explained.

Keywords

Web resources JavaScript Code integrity Monitoring tool Experience 

References

  1. 1.
    Web Technology Surveys. https://w3techs.com/technologies/details/cp-javascript/all/all. Accessed 9 July 2018
  2. 2.
  3. 3.
    W3C Subresource Integrity. https://www.w3.org/TR/SRI/. Accessed 9 July 2018
  4. 4.
    Soni, P., Budianto, E., Saxena, P.: The SICILIAN defense: signature-based whitelisting of Web JavaScript. In: ACM Conference on Computer and Communications Security (2015)Google Scholar
  5. 5.
    The Transport Layer Security (TLS) Protocol Version 1.2. https://tools.ietf.org/html/rfc5246. Accessed 9 July 2018
  6. 6.
    Culnane, C., Eldridge, M., Essex, A., Teague, V.: Trust implications of DDoS protection in online elections. In: Krimmer, R., et al. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 127–145. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-68687-5_8CrossRefGoogle Scholar
  7. 7.
    Alves, R., Belo, O., Lourenço, A.: A heuristic-regression approach to crawler pattern identification on clickstream dataGoogle Scholar
  8. 8.
    Lourenço, A., Belo, O.: Applying clickstream data mining to real-time web crawler detection and containment using clicktips platform. In: Decker, R., Lenz, H.-J. (eds.) Advances in Data Analysis. SCDAKO, pp. 351–358. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-70981-7_39CrossRefGoogle Scholar
  9. 9.
    Tan, P.-N., Kumar, V.: Discovery of web robot sessions based on their navigational patterns. Data Min. Knowl. Discov. 6, 9–35 (2002).  https://doi.org/10.1023/A:1013228602957MathSciNetCrossRefGoogle Scholar
  10. 10.
    Broenink, R.: Using browser properties for fingerprinting purposes. In: 16th biennial Twente Student Conference on IT, Enschede, Holanda, p. 85, January 2012Google Scholar
  11. 11.
    Calzarossa, M.C., Massari, L.: Analysis of header usage patterns of HTTP request messages. In: 2014 IEEE International Conference on High Performance Computing and Communications, 2014 IEEE 6th International Symposium on Cyberspace Safety and Security, 2014 IEEE 11th International Conference on Embedded Software and Syst (HPCC, CSS, ICESS), pp. 847–853. IEEE, August 2014Google Scholar
  12. 12.
    Stassopoulou, A., Dikaiakos, M.D.: A probabilistic reasoning approach for discovering web crawler sessions. In: Dong, G., Lin, X., Wang, W., Yang, Y., Yu, J.X. (eds.) APWeb/WAIM -2007. LNCS, vol. 4505, pp. 265–272. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72524-4_29CrossRefzbMATHGoogle Scholar
  13. 13.
  14. 14.
    Detecting Chrome headless, new techniques. https://antoinevastel.com/bot%20detection/2018/01/17/detect-chrome-headless-v2.html. Accessed 9 July 2018
  15. 15.
    Cucurull, J., Puiggalí, J.: Distributed immutabilization of secure logs. In: Barthe, G., Markatos, E., Samarati, P. (eds.) STM 2016. LNCS, vol. 9871, pp. 122–137. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-46598-2_9CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Scytl Secure Electronic Voting S.A.BarcelonaSpain

Personalised recommendations