Tracking information in web applications

Andrei Sabelfeld

Abstract:

This talk discusses a principled approach to web application security through tracking information in web applications. Although the rapid nature of developments in web application technology makes web application security much of a moving target, we show that there are some fundamental challenges and tradeoffs that determine possibilities and limitations of automatically securing web applications. We address challenges related to mutual distrust on the policy side (as in web mashups) and tracking information in dynamic web programming languages (such as JavaScript) to provide a foundation for practical web application security. The talk covers wide ground from fundamental results to practical applications that concern web password meters and the Content Security Policy (CSP).

Bio:

Andrei Sabelfeld is a Professor in the Department of Computer Science and Engineering at Chalmers University of Technology in Gothenburg, Sweden. After receiving his Ph.D. in Computer Science and before joining Chalmers as faculty, he was a Research Associate at Cornell University in Ithaca, NY, USA. His research has developed the link between two areas of Computer Science: Programming Languages and Computer Security. Sabelfeld's article on Language-Based Information-Flow Security is one of the most cited articles in all of Computer Science from 2003.

Time and Place

Monday, March 16, 4:15pm
Gates 463