BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:FlowWatcher: Preventing Data Disclosure Vulnerabilities in Web App
 lications - Dan O'Keeffe (Imperial College London)
DTSTART:20151105T150000Z
DTEND:20151105T160000Z
UID:TALK61010@talks.cam.ac.uk
CONTACT:Eiko Yoneki
DESCRIPTION:Bugs in the authorisation logic of web applications can expose
  the data of one user to another. Such data disclosure vulnerabilities are
  common—they can be caused by a single omitted access control check in t
 he application.\n\nIn this talk I will describe FlowWatcher\, an HTTP prox
 y that mitigates data disclosure vulnerabilities in unmodified web applica
 tions. \nFlowWatcher monitors HTTP traffic and shadows part of an applicat
 ion’s access control state based on a rule-based specification of the us
 er-data-access (UDA) policy. The UDA policy states the intended data owner
 ship and how it changes based on observed HTTP requests. \nFlowWatcher det
 ects violations of the UDA policy by tracking data items that are likely t
 o be unique across HTTP requests and responses of different users. Our eva
 luation of a prototype implementation of FlowWatcher as a plug-in for the 
 Nginx reverse proxy shows that\, with short UDA policies\, it can mitigate
  CVE bugs in six popular web applications.\n\nShort Bio: Dan O'Keeffe is a
  Post-Doctoral Research Associate in the Large Scale Distributed Systems (
 LSDS) group at Imperial College London. \nHe holds a PhD in Distributed Sy
 stems from the University of Cambridge\, and a Bachelor's Degree in Comput
 er Science from Trinity College Dublin. \nHe also has several years of ind
 ustrial experience as a software engineer.\n
LOCATION:FW26\, Computer Laboratory\, William Gates Building
END:VEVENT
END:VCALENDAR