University of Cambridge > Talks.cam > Microsoft Research Cambridge, public talks > Towards Full-Stack Security Analysis of Web Applications

Towards Full-Stack Security Analysis of Web Applications

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Microsoft Research Cambridge Talks Admins.

This event may be recorded and made available internally or externally via http://research.microsoft.com. Microsoft will own the copyright of any recordings made. If you do not wish to have your image/voice recorded please consider this before attending

The Web that we use today relies on a stack of legacy protocols and languages that have evolved over the past few decades under conflicting requirements of flexibility and security. Thus, the high-level security goals of Web applications, such as the confidentiality of user data processed by a website, actually depend on many assumptions on the various protocols involved in the process. Hence, it is equally possible for an attacker to steal this data by exploiting a flaw in the TLS cryptographic protocol, in the browser’s security isolation between websites, or in the authorization logic of the application. The problem can be mitigated by abstracting all the underlying security goals at each layer to consider protocols in isolation: however, we found a large number of abstraction-breaking, cross-layer attacks that demonstrate the limits of this approach in practice. Trying to model these attacks brings to light the need to consider specific interactions between TLS , PKIX/X.509 and HTTP on the network, along with JavaScript and its HTML5 environment in the browser. Moreover, there tends to be a significant gap between the expected security abstractions and the actual guarantees provided by implementations: for our research to have any impact, it is important to stay as close as possible to the code that is really executed. In this talk, I will present some of our efforts towards building practical tools for the compositional security evaluation of Web applications.

This talk is part of the Microsoft Research Cambridge, public talks series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.

 

© 2006-2024 Talks.cam, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity