Devdatta Akhawe

(UC Berkeley)

"Towards a Secure Client-side for the Web Platform"

(Vortrag im Rahmen der "MPI Distinguished Lecture Series" in Kooperation mit dem Fachbereich Informatik)

With the tremendous growth in cloud-based services, the web platform is now easily the most widely used application platform. In this talk, I will present work done we have done at Berkeley towards developing a secure client-side for web applications. I will discuss three directions: secure protocols, secure applications and secure user experience.

First, I will present work on providing a formal foundation for web security protocols. We formalize the typical web attacker model and identify broadly applicable security goals. We also identify an abstraction of the web platform that is amenable to automated analysis yet able to express subtle attacks missed by humans. Using a model checker, we automatically identified a previously unknown flaw in a widely used Kerberos-like authentication protocol for the web.

Second, I will present work on improving assurance in client-side web applications. We identify pervasive over-privileging in client-side web applications and present a new architecture that relies on privilege separation to mitigate vulnerabilities. Our design uses standard primitives and enables a 6x to 10000x reduction in the trusted computing base with less than 13 lines modified.

Lastly, I will present the results of a large-scale measurement study to empirically assess whether browser security warnings are as ineffective as popular opinion suggests. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. Our results demonstrate that security warnings can be effective in practice; security practitioners should not dismiss the goal of communicating security information to end users.

Bio: Devdatta is a graduate student at UC Berkeley interested in security of software, with a primary focus on web application security. He is part of Dawn Song's research group at UC Berkeley. Devdatta is also an invited expert on the W3C's Web Application Security Working Group. More details, including how to pronounce his name, are on his homepage: devd.me

Time: Thursday, April 3, 2014 at 10:30 a.m.
Place: MPI-SWS Kaiserslautern, Paul Ehrlich Str., Building G26, room 113
Video: Simultaneous video cast to MPI-SWS Saarbrücken, room 029