UT computer scientists develop ways to make it safer to surf web

Kevin Vu, News Reporter

Hackers have gotten smarter, and in response, UT researchers began work in early October to make browsers safer and less susceptible to attacks from malicious programmers on phoney websites.

For the next five years, as part of a $3 million grant from the National Science Foundation, researchers from UT, the University of California San Diego and Stanford University will look into and devise solutions for browsers attacked by hackers with malicious intent, said principal investigator Hovav Shacham.

“Right now, our biggest problem is that attackers have gotten better,” said computer science professor Shacham. “Attackers have understood that they really need to attack browsers. … It’s really mostly in browser exploits. Attackers are winning right now, and that’s a little unfortunate.”

Shacham said attackers are able to harm a user’s browser by exploiting the search engine’s bugs, which can be done through compromised websites. When a user opens a malicious website, it causes their browser to run the attackers’ code, giving the hackers access to a user’s files, Shacham said.

To combat attackers, the researchers will focus on a browser’s JavaScript just-in-time compiler, said Deian Stefan, a computer science and engineering assistant professor at UC San Diego and co-investigator of the project. Stefan said the compiler takes source code and turns it into something a computer can execute and run.

Unlike other compilers, just-in-time compilers interpret the source code in real time while a user is browsing websites, Stefan said. Since the compiler sorts through a lot of code very quickly, Stefan said there could be bugs within the compiler that attackers can take advantage of and input code that wasn’t meant to enter the compiler.

“We started moving onto the JavaScript (just-in-time) engine largely because that’s the biggest attack surface in the browser,” Stefan said. “More commonly in the browser what attackers do is they target the JavaScript (just-in-time) because that’s a big piece of code.”

To make this compiler more secure, the researchers will run formal verification on the compiler, Stefan said. Formal verification gives the browser an extra layer of security and protection because it proves that the compiler and the code it is running is secure, Stefan said.

“Suddenly you can write your code as you would and there’s something checking that you did the right thing,” Stefan said. “It’s essentially having guardrails every time you drive.”

Shacham said the researchers will work with the browser Mozilla Firefox. Shacham said the goal of this project is to make it easier and safer for people to browse the internet without having to worry about whether they will be attacked.

“What motivates me is I want users to be safe online,” Shacham said. “I want, for now, the web platform to be such that people can click on links and not have to think twice about, ‘Is the thing on the other end a watering hole site set up by a foreign government to try to compromise my computer?’”