|![[Search]](http://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](http://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](http://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](http://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](http://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Computer Laboratory Systems Research Group Seminar > FlowWatcher: Preventing Data Disclosure Vulnerabilities in Web Applications
FlowWatcher: Preventing Data Disclosure Vulnerabilities in Web ApplicationsAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Eiko Yoneki. Bugs in the authorisation logic of web applications can expose the data of one user to another. Such data disclosure vulnerabilities are common—they can be caused by a single omitted access control check in the application. In this talk I will describe FlowWatcher, an HTTP proxy that mitigates data disclosure vulnerabilities in unmodified web applications. FlowWatcher monitors HTTP traffic and shadows part of an application’s access control state based on a rule-based specification of the user-data-access (UDA) policy. The UDA policy states the intended data ownership and how it changes based on observed HTTP requests. FlowWatcher detects violations of the UDA policy by tracking data items that are likely to be unique across HTTP requests and responses of different users. Our evaluation of a prototype implementation of FlowWatcher as a plug-in for the Nginx reverse proxy shows that, with short UDA policies, it can mitigate CVE bugs in six popular web applications. Short Bio: Dan O’Keeffe is a Post-Doctoral Research Associate in the Large Scale Distributed Systems (LSDS) group at Imperial College London. He holds a PhD in Distributed Systems from the University of Cambridge, and a Bachelor’s Degree in Computer Science from Trinity College Dublin. He also has several years of industrial experience as a software engineer. This talk is part of the Computer Laboratory Systems Research Group Seminar series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsSt. John's Women's Society Talks Darwin College Science Seminars DAK Group Meetings Statistical Software Training Anatomy Revision The obesity epidemic: Discussing the global health crisisOther talksLarge Scale Ubiquitous Data Sources for Crime Prediction Making a Crowdsourced Task Attractive: Measuring Workers Pre-task Interactions Kiwi Scientific Acceleration on FPGA Anti-scarring therapies for ocular fibrosis A cabinet of natural history: the long-lost Paston collection The Hopkins Lecture 2018 - mTOR and Lysosomes in Growth Control |
Dan O'Keeffe (Imperial College London)
Thursday 05 November 2015, 15:00-16:00