BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Towards Full-Stack Security Analysis of Web Applications - Antoine
  Delignat-Lavaud
DTSTART:20150217T100000Z
DTEND:20150217T110000Z
UID:TALK57975@talks.cam.ac.uk
CONTACT:Microsoft Research Cambridge Talks Admins
DESCRIPTION:The Web that we use today relies on a stack of legacy protocol
 s and languages that have evolved over the past few decades under conflict
 ing requirements of flexibility and security. Thus\, the high-level securi
 ty goals of Web applications\, such as the confidentiality of user data pr
 ocessed by a website\, actually depend on many assumptions on the various 
 protocols involved in the process. Hence\, it is equally possible for an a
 ttacker to steal this data by exploiting a flaw in the TLS cryptographic p
 rotocol\, in the browser's security isolation between websites\, or in the
  authorization logic of the application. The problem can be mitigated by a
 bstracting all the underlying security goals at each layer to consider pro
 tocols in isolation: however\, we found a large number of abstraction-brea
 king\, cross-layer attacks that demonstrate the limits of this approach in
  practice. Trying to model these attacks brings to light the need to consi
 der specific interactions between TLS\, PKIX/X.509 and HTTP on the network
 \, along with JavaScript and its HTML5 environment in the browser. Moreove
 r\, there tends to be a significant gap between the expected security abst
 ractions and the actual guarantees provided by implementations: for our re
 search to have any impact\, it is important to stay as close as possible t
 o the code that is really executed. In this talk\, I will present some of 
 our efforts towards building practical tools for the compositional securit
 y evaluation of Web applications.
LOCATION:Auditorium\, Microsoft Research Ltd\, 21 Station Road\, Cambridge
 \, CB1 2FB
END:VEVENT
END:VCALENDAR