|![[Search]](https://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](https://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](https://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](https://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](https://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Microsoft Research Cambridge, public talks > Towards Full-Stack Security Analysis of Web Applications
Towards Full-Stack Security Analysis of Web ApplicationsAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Microsoft Research Cambridge Talks Admins. This event may be recorded and made available internally or externally via http://research.microsoft.com. Microsoft will own the copyright of any recordings made. If you do not wish to have your image/voice recorded please consider this before attending The Web that we use today relies on a stack of legacy protocols and languages that have evolved over the past few decades under conflicting requirements of flexibility and security. Thus, the high-level security goals of Web applications, such as the confidentiality of user data processed by a website, actually depend on many assumptions on the various protocols involved in the process. Hence, it is equally possible for an attacker to steal this data by exploiting a flaw in the TLS cryptographic protocol, in the browser’s security isolation between websites, or in the authorization logic of the application. The problem can be mitigated by abstracting all the underlying security goals at each layer to consider protocols in isolation: however, we found a large number of abstraction-breaking, cross-layer attacks that demonstrate the limits of this approach in practice. Trying to model these attacks brings to light the need to consider specific interactions between TLS , PKIX/X.509 and HTTP on the network, along with JavaScript and its HTML5 environment in the browser. Moreover, there tends to be a significant gap between the expected security abstractions and the actual guarantees provided by implementations: for our research to have any impact, it is important to stay as close as possible to the code that is really executed. In this talk, I will present some of our efforts towards building practical tools for the compositional security evaluation of Web applications. This talk is part of the Microsoft Research Cambridge, public talks series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsVHI Seminars Three-dimensional cell culture: Innovations in tissue scaffolds and biomimetic systems Cyber Security Society talks Data Management Roadshow history Cambridge Neuroscience Symposium - Ion Channels in Health and DiseaseOther talksFundamental Limits to Volcanic Cooling and its Implications for Past Climate on Earth Translational Science: using biomarkers to guide clinical development in oncology Filling box flows in porous media My Life in Science Seminar “Publishing in Science: an Inside Look" |
Antoine Delignat-Lavaud
Tuesday 17 February 2015, 10:00-11:00