Our new Faculty: JavaScript analysis expert Aurore Fass
When Aurore Fass decided to go to the American elite university Stanford as a Visiting Assistant Professor two years ago, she had already been planning to return to Germany afterwards. "My wish was to come back to CISPA and start as Faculty, which fortunately worked out. I wanted to go to Stanford, do a lot of research there, learn a lot, make a lot of contacts and bring all that back to CISPA," she says. She particularly enjoyed the close contact she had at Stanford with students whose topics broadened Fass' research horizons, as well as the university's excellent network. "There are a lot of great connections to industry there. For example, we wrote a paper in collaboration with Google and got access to an amazing data set. This research would not have been possible without these connections and access to the data," she continues.
Website infrastructure in the background: JavaScript
Fass has remained true to her research focus on JavaScript (JS), one of the most widely used programming languages for websites. "JS is powering the way websites are built. Over 95% of websites use JS today. It allows websites to be more dynamic and look snappier." As to why dealing with JS is interesting from a web security and privacy perspective, she explains, "There are different scenarios. The first variant is malicious JS code. In this case, the code is trying to compromise the security or privacy of web users. For example, there may be malicious JS code that tries to exploit vulnerabilities in a website. The second possibility is vulnerable JS code. This involves a normal website where developers had good intentions, but which has some vulnerabilities in the code. That means attackers could try to exploit those vulnerabilities to perform malicious activities."
Little helpers with big problems: Browser extensions
A second pillar of their research, which evolved from their involvement with JS, is so-called browser extensions. "In a study, we examined over a hundred thousand browser extensions," Fass recounts. It came out that there are massive security gaps there. In a second step, she turned to the developer’s side. "We contacted 48 developers, but less than 10% responded." This lack of interest on the part of developers has consequences for fixing vulnerabilities in browser extensions: "No one really seems to care, and perhaps developers have no incentive to fix the vulnerabilities," Aurore says. In addition, fixing vulnerabilities can also be challenging from a programming perspective, which Fass says is another hurdle.
User perspective and bias in research
Lastly, Fass looked at the user perspective in her research. "We analyzed how users spend their time on the Internet, which websites they visit," she explains. Her reasoning behind this: the widely used approach in cybersecurity research of working with a top 1000 list of the most visited websites globally has weaknesses. "There is only one global list, which is supposed to be representative of users around the world. In practice, however, there are some biases. For example, the most obvious one is that these global lists do not include the popular websites of individual countries," Fass adds. She found that there are big differences not only between surfing behavior in different countries, but also in terms of different usage on different devices, such as Windows desktops and Android phones. "Because people use these devices differently, we miss everything that happens on smartphones if we only look at websites that people visit on their laptops," she concludes.
Conscious web browsing and a mission
Asked about the extent to which her work has influenced her own surfing behavior, she gives a clear answer: "I often think that, given all the problems with Internet security and privacy, I don't really want to use a computer at all, because so many bad things can happen. Basically, I'm probably a little more careful because I know some of the risks." For example, when entering credit card information or sensitive data, she tries to make sure she really knows a website. "Also, because of my research on browser extensions, I try to avoid them completely," Fass adds. Her motivation for her research is to do something good for society in the process. "I think I'm contributing to making the world or the Internet a safer place," she says. "I like the practical impact of my research and being able to use research results to make the Internet safer. That often happens through startups or corporate collaborations. It's through these types of connections that CISPA brings research results into application."